Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Address Bar Spoofing Test Cases + Remediation #3882

Merged
merged 20 commits into from
Dec 7, 2023
Merged

Address Bar Spoofing Test Cases + Remediation #3882

merged 20 commits into from
Dec 7, 2023

Conversation

not-a-rootkit
Copy link
Contributor

@not-a-rootkit not-a-rootkit commented Nov 17, 2023
edited by joshliebe
Loading

Task/Issue URL: https://app.asana.com/0/0/1205916690837650/f

Description

The browser implementation of the address bar updating functionality is currently vulnerable to an Address Bar Spoofing vulnerability. In this PR I integrate all of our known address bar spoofing tests, including a fix for the basic auth address bar spoofing issues where someone can hide the domain portion of the address bar by prepending fake basic auth credentials to the domain.

In the fix, I simply strip the username/password fields from the address bar which forces the browser to prompt for username/password. This is consistent with our other browser implementations on macOS and iOS.

Steps to test this PR

Security Tests

  • run maestro test .maestro/security_tests/0_all.yaml
  • ensure all tests are passing

Basic Auth

  • visit a page that actually requires basic auth: https://notarootkit.com
  • check that the username/password prompt is still raised
  • visit a page that doesn't require basic auth but contains "@" in the address bar: https://medium.com/@duckduckgo
  • ensure the address bar value is correctly displayed and not truncated

Primary Questions:

  1. How often do we want these tests to run?
  2. What configuration is required to get them to run at our required schedule?
  3. What happens if the tests fail?
  4. Are we comfortable with the fix?

@not-a-rootkit not-a-rootkit requested a review from a team November 22, 2023 11:00
@not-a-rootkit
Implement URI parsing to extract basic auth credentials.
7d1c05f 
Add test case for valid URL containing "@" character.
@marcosholgado
Copy link
Contributor

Are the maestro test executed at all? If they are not part of any workflows they will never run.

@not-a-rootkit
Copy link
Contributor Author

Thanks for taking a look folks.

@marcosholgado - I’ve added these to run at the same intervals as Privacy Tests. Do we think this is a reasonable choice?

In addition to these I’ve added some fairly extensive unit tests for expected success and failure cases of basic auth extraction. Please let me know if you spot any cases that are missing.

@joshliebe joshliebe self-assigned this Nov 30, 2023
joshliebe
joshliebe requested changes Dec 5, 2023
View reviewed changes
Copy link
Contributor

@joshliebe joshliebe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tested and it seems to be working as expected. However, the Maestro tests aren't passing and I had a few other issues that should be addressed before we can merge.

@not-a-rootkit
Add error handling, more test cases, remove duplicate maestro runs.
2c5f64e 
* Add error handling to stripBasicAuthFromUrl() and make private
* Add tests for exception throwing cases
* Remove 0_all.yaml and add onboarding step to each test individually
@not-a-rootkit
Fix formatting.
92494f4
@not-a-rootkit
Fix lint error.
3f0c1c9
@not-a-rootkit
Whitespace formatting.
e674df2
@not-a-rootkit
Move invalid URIs
87f66b6
@not-a-rootkit
More Whitespace Changes.
c6c169b
@not-a-rootkit
Set clear state to true and run onboarding per test case.
7858384
@not-a-rootkit
Copy link
Contributor Author

Thanks @joshliebe - I've made some changes as you requested and got the maestro tests passing: https://github.com/duckduckgo/Android/actions/runs/7126639716

joshliebe
joshliebe approved these changes Dec 7, 2023
View reviewed changes
Copy link
Contributor

@joshliebe joshliebe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Thanks 👍

@joshliebe joshliebe merged commit ce56966 into develop Dec 7, 2023
7 checks passed
@joshliebe joshliebe deleted the tespach/address-bar-spoofing-tests branch December 7, 2023 20:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@aitorvs aitorvs aitorvs left review comments

@CDRussell CDRussell CDRussell left review comments

@joshliebe joshliebe joshliebe approved these changes

Assignees

@joshliebe joshliebe

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@not-a-rootkit @marcosholgado @CDRussell @joshliebe @aitorvs