Security/Reviews/Gaia/system/code: Difference between revisions

← Older edit

Security/Reviews/Gaia/system/code (view source)

Revision as of 12:11, 26 March 2013

492 bytes removed , 26 March 2013

→‎Relevant Source Code

Ptheriault

canmove, Confirmed users

1,220

edits

@@ Line 1: / Line 1: @@
+====Relevant Source Code====
 */index.html
-This is the main system app that is loaded by gecko at startup. It loads many scripts which perform the various parts of the System app. See source code section below for details.
+This is the main system app that is loaded by gecko at startup. It loads many scripts which perform the various parts of the System app.
 */camera/index.html
 This pages provides the camera on the lockscreen. It is basically a cut down version of the the camera app.
+   Issue: prompt for geolocation isn't shown until after phone is locked.
 */emergency-call/index.html
 This page provides the dialer on the lockscreen for making emergency calls.
-====Relevant Source Code====
 *accessibility.js: Small file, observes settings to enable inverting the screen for accessibility, and turning on the screen reader. No real security threats
@@ Line 23: / Line 27: @@
 *attention_screen.js: Attention screen is used for things like incoming phone calls and alarms. Apps use it by calling window.open(url, 'attention')
 Works by registering itself as a mozbrowseropenwindow listener.  Previously there was an issue that since apps can now window.open, they can open in attention screen, grabbing focus. This was fixed via https://github.com/mozilla-b2g/gaia/issues/1788
-*authentication_dialog.js
+*authentication_dialog.js: Trusted UI for entering HTTP auth credentials.
-Trusted UI for entering HTTP auth credentials.
 Notes: Only shows up for events from the currently displayed app. Race conditions?
@@ Line 42: / Line 45: @@
 *bluetooth_transfer.js: Handles an individual transfer, including displaying confirm prompt to the user
-Todo: Bluetooth file, and metadata (filename etc) could be malicious, need to make sure system validates/sanitizes properly.
+Note: Bluetooth file, and metadata (filename etc) could be malicious, but code uses CustomDialog (http://mxr.mozilla.org/gaia/source/shared/js/custom_dialog.js#5) which uses textContent and createTextNode to prevent injection. Also uses filename for notifications which is similarly protected.
 *bootstrap.js: Random startup tasks, including checking for updates. Not too much to review here. Sets the wallpaper for all home screens.
@@ Line 65: / Line 68: @@
 *captive_portal.js: Code looks ok, but could do with some testing.
-Todo: test this on to see what attack vector from a rogue wireless network.
+   Todo: test this on to see what attack vector from a rogue wireless network.
-*cards_view.js: Main app UI management. There have been lots of bugs in the past where background apps could interfere with the foreground app.
+*cards_view.js: Main app UI management. There have been lots of bugs in the past where background apps could interfere with the foreground app. All closed now, but will be an area to keep an eye with future changes.
 *context_menu.js: Simple menu helper class.
@@ Line 86: / Line 89: @@
 *icc_cache.js: Sim Toolkit message handler?
-Todo: find out what this is.
 *identity.js Persona implementation for the phone. See here for detailed review: [[Security/Reviews/Gaia/system/identity.js]]
 *init_logo_handler.js: loads animated logo at power on.
 *keyboard_manager.js: Manages the keyboard. Currently just embeds keyboard app, but in future will allow for changing of keyboard apps.
@@ Line 140: / Line 140: @@
      }
 </code>
+However currently selectone is not implemented. Raised bug just in case this changes in the future: https://bugzilla.mozilla.org/show_bug.cgi?id=850554
 *mouse2touch.js: shim to support
@@ Line 146: / Line 148: @@
 UI to display notifications. Uses DOM methods not innerHTML - hooray!
-*payment.js
+*payment.js: needs its own review probably: [[Security/Reviews/Gaia/system/payment.js]]
-Todo: needs its own review probably: [[Security/Reviews/Gaia/system/payment.js]]
 *permission_manager.js:Handles prompting for permissions. Handles fullscreen requests as well.
 *popup_manager.js
@@ Line 165: / Line 165: @@
 *screenshot.js
-Takes a screen shot when user press both home and power buttons. s
+Takes a screen shot when user press both home and power buttons.
 *sim_lock.js
@@ Line 178: / Line 178: @@
 *source_view.js
+    Possibly should be removed.
 *statusbar.js
@@ Line 203: / Line 204: @@
 *utility_tray.js
+tray that gets dragged down from top of screen.
 *value_selector
+Code to create widgets for date selectors or select wheels etc.
 *voicemail.js
@@ Line 211: / Line 214: @@
 *window.js
-This seems dangerous:
+see bug 854849
-http://mxr.mozilla.org/gaia/source/apps/system/js/window.js#120
-Don't know how you can reach this, but seems like f you had xss in the app name you get xss.
-   AppError.prototype.getMessage = function() {
-     if (AirplaneMode.enabled) {
-       return _('airplane-is-turned-on', { name: this.app.name });
-     } else if (!navigator.onLine) {
-       return _('network-error', { name: this.app.name });
-     } else {
-       return _('error-message', { name: this.app.name });
-     }
-   };
-   AppError.prototype.view = function() {
-     return '<div id="' + this.id() + '" class="' +
-         AppError.className + ' visible" role="dialog">' +
-       '<div class="modal-dialog-message-container inner">' +
-         '<h3 data-l10n-id="error-title" class="title">' +
-           this.getTitle() + '</h3>' +
-         '<p>' +
-          '<span data-l10n-id="error-message" class="message">' +
-             this.getMessage() + '</span>' +
-         '</p>' +*window_manager.js
 *wrapper.js