Automated addon approval should verify library hashes

elias_rabl · November 9, 2017, 6:05pm

Hi there,

I’ve recently uploaded an update to my addon and it got auto-approved by the addon validation.

Unfortunately it was removed from AMO just a few hours later because one of the included libraries didn’t match any known hash values (my IDE replaced all Unix newlines LF with Windows newlines CR+LF…).

It would be really helpful if the automated addon validation would display a warning about mismatching/unknown hashes.

From a security perspective it might even be considered to block such addons from automated approval.

Thank you!

erosman · November 9, 2017, 9:04pm

It does in a way. The libraries that match are ignored so you wont see any error messages relating to them.

If the validator lists an error for a JQuery (for example) it means it hasn’t recognised its hash.

I have brought that issue up myself. Policy may change in future.

mig · November 9, 2017, 10:16pm

I’m a little bit concerned here.

All right, if we include a library with <script src="jquery.js"></script>, the validator can check the library hash of the jquery.js file to see if it’s an authorized version.

But what if, like i do for my extension, the libraries are included with a tool like webpack (or browserify) to create a unique bundle file containing all the libraries. Checking whether each individual included library matches the allowed hashes gets more complex, if possible at all.

I presume it has to be done from the source code that is to be provided along with the add-on binary.

If a policy/process is to be defined/updated regarding this, it should take into account this bundling method as it is getting more and more popular for web developments.

erosman · November 10, 2017, 5:19am

They would fail the validation and get rejected on post review.

It is not feasible to unpack 100s of thousands lines of minified code and check line by line and that is the reason compiled libraries have always been rejected.

I often see JS files that are 3+mb. Besides the poor performance, they are not feasible for review. They also often include a massive amount of useless code, that are added by the framework.

elias_rabl · November 10, 2017, 7:44am

Thats interesting. The only jQuery related warnings in the validator are as follows:

If I understand you correctly those warnings should be supressed if the validator recognizes the file as a known library?

Looking through my other validator feedback I think I’ve found what you mean:

That’s good to know!
Thanks a lot

erosman · November 10, 2017, 7:48am

Exactly

Here are the list of recognised Libraries:

github.com

mozilla/amo-validator/blob/master/validator/testcases/hashes-allowed.txt

3ca7274302353b8386c230cfed846b122a97fe60a611ff73e88a657d56cc3a3b angularjs.1.6.6.angular.js
35f73a70cca067828be9e0a712b8b48908e1bc4490637c62bd70158f95cd6e27 angularjs.1.6.6.angular.min.js
918b67113f134ec866265fb26365dc1497c88af997f75bbd70ef8450ca7658e6 backbone.1.0.0.backbone-min.js
2ebbacdc8393dac4ce1d4cfbb8eb1957ba7bd7811fa7bed67c94a4a1193a78f3 backbone.1.0.0.backbone.js
453ec40e1cf3ecc3309a6a5bbf0ae555ee2f5f80075e48e86ce37dc247dc135c backbone.1.1.0.backbone-min.js
5a36cd2b29bc952610f3d8689348056a9a0658014552d77eb47b23bc0f3350a8 backbone.1.1.0.backbone.js
06fac5a66f26137240f94bef2fc0d15f75fa2effe8aec8929b04eb60e6017436 backbone.1.1.1.backbone-min.js
f5f741e7991113473236eb4da601cd50b44bdaea52f3b792a481c588bcd901a4 backbone.1.1.1.backbone.js
75d28344b1b83b5fb153fc5939bdc10b404a754d93f78f7c1c8a8b81de376825 backbone.1.1.2.backbone-min.js
0977290d5e68ce40d516cd4dc3965586680024e51399f0ee54ee8ed3a99b1506 backbone.1.1.2.backbone.js
e2880d9b382972780cbd99f9873c4fdf06618b36a8a3666bdb9d895845816f40 backbone.1.2.0.backbone-min.js
4ac1c9ebee6ebcd1614a8f92d41cb270e61e0b8f61c804c0d1b26fda4b889824 backbone.1.2.0.backbone.js
a593ba9f6e85ce030c59fd367c88b624d267b2a8d895fc7b3dcec52cc5137084 backbone.1.2.1.backbone-min.js
c27c8ad6ec8e148ed22a32035d67582e6affcdfa234e2cb2fac6611dbfd1781a backbone.1.2.1.backbone.js
a7a6e47c5aa6c6d79baca392fb0c868be41fdddd75d5e59440febb91ec9727a4 backbone.1.2.2.backbone-min.js
0b505a72e89152018c40056b6dd713668f96dbf508c0930e6ce7302cb7acfd88 backbone.1.2.2.backbone.js
c3ca23012efd03572816f91fb7addce549b1c9a327703f47735d153db22365fe backbone.1.2.3.backbone-min.js
3dd6732dfa24d1d79279ab81672b2092604b543489af42c7eba281f990c0cc43 backbone.1.2.3.backbone.js
1d9d21d7b55593465f76af4bd0572f414cec6f1e9acbe0a3e1780361b8243daf backbone.1.3.1.backbone-min.js
b432f5da40a1a53b029f51a42aa99ac21bc602d9af942836f8c7b70d3d74da74 backbone.1.3.1.backbone.js

This file has been truncated. show original

Note: Some older versions of libraries are no longer recognised and have been removed due to being outdated.

freaktechnik · November 10, 2017, 1:13pm

I would recommend not bundling libs with webpack whenever possible. This means just loading the lib like normal and using externals to then make them available as modules in your webpack bundle.