Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use safevalues to fix trusted types issues reported by tsec #8301

Merged
merged 10 commits into from
Jul 16, 2024
Merged

Use safevalues to fix trusted types issues reported by tsec #8301

merged 10 commits into from
Jul 16, 2024

Conversation

dlarocque
Copy link
Contributor

@dlarocque dlarocque commented Jun 5, 2024
edited
Loading

We recently added tsec in #8285, to report errors where code is vulnerable to XSS. In this PR, we begin resolving some of the reported errors by introducing safevalues and apply it to fix a few of the simpler cases, where URLs must be wrapped in a trustedResourceUrl. For cases that are more complex to solve, I have added FIXME's noting that they must be fixed using the safevalues library.

Testing: I have added assertions to our existing tests to ensure that the scripts' URLs are correctly assigned. For an additional sanity check, I've also created a React app using Firebase with safevalues, and verified that the trustedResourceUrl's in App Check are actually attaching the script to the DOM with the correct URL using the Browser DevTools and just stepping through the code and observing state.

@dlarocque dlarocque requested a review from hsubox76 June 5, 2024 21:38
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Jun 5, 2024
edited
Loading

🦋 Changeset detected

Latest commit: c2bc27a

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@firebase/analytics Patch
@firebase/app-check Patch
@firebase/analytics-compat Patch
firebase Patch
@firebase/app-check-compat Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jun 5, 2024
edited
Loading

Changeset File Check ⚠️

  • Warning: This PR modifies files in the following packages but they have not been included in the changeset file:%0A - @firebase/auth%0A - @firebase/database-compat%0A - @firebase/database%0A - @firebase/messaging%0A%0A Make sure this was intentional.

@dlarocque dlarocque requested review from a team as code owners June 5, 2024 21:40
@google-oss-bot
Copy link
Contributor

google-oss-bot commented Jun 5, 2024
edited
Loading

Size Report 1

Affected Products

  • @firebase/analytics

    TypeBase (84fe880)Merge (50d088c)Diff
    browser21.8 kB21.3 kB-531 B (-2.4%)
    esm527.0 kB26.6 kB-386 B (-1.4%)
    main28.4 kB28.1 kB-351 B (-1.2%)
    module21.8 kB21.3 kB-531 B (-2.4%)

  • @firebase/app-check

    TypeBase (84fe880)Merge (50d088c)Diff
    browser26.3 kB26.4 kB+64 B (+0.2%)
    esm531.6 kB31.9 kB+348 B (+1.1%)
    main32.8 kB33.2 kB+404 B (+1.2%)
    module26.3 kB26.4 kB+64 B (+0.2%)

  • bundle

    TypeBase (84fe880)Merge (50d088c)Diff
    analytics (logEvent)44.5 kB48.3 kB+3.82 kB (+8.6%)
    app-check (ReCaptchaEnterpriseProvider)39.9 kB44.0 kB+4.09 kB (+10.3%)
    app-check (ReCaptchaV3Provider)39.8 kB43.9 kB+4.09 kB (+10.3%)

  • firebase

    TypeBase (84fe880)Merge (50d088c)Diff
    firebase-analytics-compat.js26.5 kB29.9 kB+3.41 kB (+12.9%)
    firebase-analytics.js29.7 kB33.7 kB+4.01 kB (+13.5%)
    firebase-app-check-compat.js23.4 kB27.0 kB+3.67 kB (+15.7%)
    firebase-app-check.js25.0 kB29.4 kB+4.40 kB (+17.6%)
    firebase-compat.js786 kB789 kB+3.38 kB (+0.4%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/TnhAI6i4vM.html

@google-oss-bot
Copy link
Contributor

google-oss-bot commented Jun 5, 2024
edited
Loading

Size Analysis Report 1

Affected Products

  • @firebase/analytics

    • getAnalytics

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.6 kB10.4 kB-190 B (-1.8%)
      size-with-ext-deps44.4 kB48.2 kB+3.82 kB (+8.6%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getAnalytics
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
initializeAnalytics
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getAnalytics
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
initializeAnalytics
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • getGoogleAnalyticsClientId

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.3 kB-190 B (-1.8%)
      size-with-ext-deps37.2 kB41.0 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getGoogleAnalyticsClientId
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
internalGetGoogleAnalyticsClientId
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getGoogleAnalyticsClientId
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
internalGetGoogleAnalyticsClientId
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • initializeAnalytics

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.3 kB-190 B (-1.8%)
      size-with-ext-deps37.5 kB41.3 kB+3.82 kB (+10.2%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      24 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
initializeAnalytics
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      22 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
initializeAnalytics
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • isSupported

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      24 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
isSupported
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      22 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
isSupported
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • logEvent

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.2 kB10.0 kB-190 B (-1.9%)
      size-with-ext-deps37.0 kB40.8 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      23 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      21 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setAnalyticsCollectionEnabled

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setAnalyticsCollectionEnabled
setAnalyticsCollectionEnabled$1
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setAnalyticsCollectionEnabled
setAnalyticsCollectionEnabled$1
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setConsent

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
_setConsentDefaultForInit
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setConsent
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
_setConsentDefaultForInit
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setConsent
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setCurrentScreen

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.3 kB-190 B (-1.8%)
      size-with-ext-deps37.2 kB41.0 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setCurrentScreen
setCurrentScreen$1
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setCurrentScreen
setCurrentScreen$1
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setDefaultEventParameters

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
_setDefaultEventParametersForInit
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setDefaultEventParameters
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
_setDefaultEventParametersForInit
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setDefaultEventParameters
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setUserId

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.3 kB-190 B (-1.8%)
      size-with-ext-deps37.2 kB41.0 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setUserId
setUserId$1
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setUserId
setUserId$1
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • setUserProperties

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.5 kB10.4 kB-190 B (-1.8%)
      size-with-ext-deps37.3 kB41.1 kB+3.82 kB (+10.2%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      25 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setUserProperties
setUserProperties$1
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      23 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
setUserProperties
setUserProperties$1
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • settings

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size10.4 kB10.2 kB-190 B (-1.8%)
      size-with-ext-deps37.1 kB40.9 kB+3.82 kB (+10.3%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      functions

      24 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
createGtagTrustedTypesScriptURL
createTrustedTypesPolicy
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
settings
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      22 dependencies

      _initializeAnalytics
attemptFetchDynamicConfigWithRetry
factory
fetchDynamicConfig
fetchDynamicConfigWithRetry
findGtagScriptOnPage
getHeaders
getOrCreateDataLayer
gtagOnConfig
gtagOnEvent
insertScriptTag
isRetriableError
logEvent
logEvent$1
promiseAllSettled
registerAnalytics
setAbortableTimeout
settings
validateIndexedDB
warnOnBrowserContextMismatch
wrapGtag
wrapOrCreateGtag

      - createGtagTrustedTypesScriptURL
- createTrustedTypesPolicy

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

  • @firebase/app-check

    • CustomProvider

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.72 kB7.76 kB+42 B (+0.5%)

    • ReCaptchaEnterpriseProvider

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size11.4 kB11.5 kB+93 B (+0.8%)
      size-with-ext-deps29.7 kB33.8 kB+4.09 kB (+13.8%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      variables

      19 dependencies

      APP_CHECK_NAME
APP_CHECK_NAME_INTERNAL
APP_CHECK_STATES
BASE_ENDPOINT
DB_NAME
DB_VERSION
DEFAULT_STATE
ERRORS
ERROR_FACTORY
EXCHANGE_RECAPTCHA_ENTERPRISE_TOKEN_METHOD
ONE_DAY
RECAPTCHA_ENTERPRISE_URL
STORE_NAME
TOKEN_REFRESH_TIME
dbPromise
defaultTokenErrorData
logger
name
version

      18 dependencies

      APP_CHECK_NAME
APP_CHECK_NAME_INTERNAL
APP_CHECK_STATES
BASE_ENDPOINT
DB_NAME
DB_VERSION
DEFAULT_STATE
ERRORS
ERROR_FACTORY
EXCHANGE_RECAPTCHA_ENTERPRISE_TOKEN_METHOD
ONE_DAY
STORE_NAME
TOKEN_REFRESH_TIME
dbPromise
defaultTokenErrorData
logger
name
version

      - RECAPTCHA_ENTERPRISE_URL

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • ReCaptchaV3Provider

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size11.4 kB11.5 kB+93 B (+0.8%)
      size-with-ext-deps29.7 kB33.7 kB+4.09 kB (+13.8%)

      Dependency

      TypeBase (84fe880)Merge (50d088c)Diff
      variables

      19 dependencies

      APP_CHECK_NAME
APP_CHECK_NAME_INTERNAL
APP_CHECK_STATES
BASE_ENDPOINT
DB_NAME
DB_VERSION
DEFAULT_STATE
ERRORS
ERROR_FACTORY
EXCHANGE_RECAPTCHA_TOKEN_METHOD
ONE_DAY
RECAPTCHA_URL
STORE_NAME
TOKEN_REFRESH_TIME
dbPromise
defaultTokenErrorData
logger
name
version

      18 dependencies

      APP_CHECK_NAME
APP_CHECK_NAME_INTERNAL
APP_CHECK_STATES
BASE_ENDPOINT
DB_NAME
DB_VERSION
DEFAULT_STATE
ERRORS
ERROR_FACTORY
EXCHANGE_RECAPTCHA_TOKEN_METHOD
ONE_DAY
STORE_NAME
TOKEN_REFRESH_TIME
dbPromise
defaultTokenErrorData
logger
name
version

      - RECAPTCHA_URL

      External Dependency

      ModuleBase (84fe880)Merge (50d088c)Diff
      safevalues

      trustedResourceUrl

      + trustedResourceUrl

      safevalues/dom

      safeScriptEl

      + safeScriptEl

    • getLimitedUseToken

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.29 kB7.34 kB+42 B (+0.6%)

    • getToken

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.35 kB7.39 kB+42 B (+0.6%)

    • initializeAppCheck

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size11.2 kB11.3 kB+42 B (+0.4%)

    • onTokenChanged

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.44 kB7.49 kB+42 B (+0.6%)

    • setTokenAutoRefreshEnabled

      Size

      TypeBase (84fe880)Merge (50d088c)Diff
      size7.44 kB7.48 kB+42 B (+0.6%)

Test Logs

  1. https://storage.googleapis.com/firebase-sdk-metric-reports/xUDBaDzGW9.html

dlarocque
dlarocque commented Jun 6, 2024
View reviewed changes
Copy link
Contributor Author

@dlarocque dlarocque left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am confident that our usage of trustedResourceUrl works., but I feel that I need to spend much more time looking into how I can test write and safeServiceWorkerContainer.register, as those seem more complex and issues may not be caught by the tests. Any suggestions on how I can test these two would be very helpful.

packages/messaging/src/helpers/registerDefaultSw.ts Outdated Show resolved Hide resolved
packages/database/src/realtime/BrowserPollConnection.ts Outdated Show resolved Hide resolved
@dlarocque dlarocque marked this pull request as draft June 6, 2024 17:03
@dlarocque dlarocque mentioned this pull request Jun 11, 2024
Open
@dlarocque dlarocque force-pushed the dlarocque/safevalues branch 2 times, most recently from 99eae21 to 7f2f930 Compare July 4, 2024 15:46
@dlarocque dlarocque marked this pull request as ready for review July 5, 2024 14:24
hsubox76
hsubox76 approved these changes Jul 11, 2024
View reviewed changes
Copy link
Contributor

@hsubox76 hsubox76 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I think we can make the FIXMEs into TODOs for easy context for whoever works on the fix, and set up time to work with the product teams on each of the more complicated cases. We can bring this up as an FYI in the biweekly meeting and contributors chat.

@dlarocque dlarocque merged commit f58d48c into master Jul 16, 2024
43 checks passed
@dlarocque dlarocque deleted the dlarocque/safevalues branch July 16, 2024 14:55
@google-oss-bot google-oss-bot mentioned this pull request Jul 16, 2024
Merged
@nicole0707
Copy link

Hi team, we are upgrading Firebase sdk to 10.12.4 and encountered some issues in our unit tests. Could you please help us to resolve them? Thanks

    TypeError: 
        ############################## ERROR ##############################

        It looks like you are trying to call a template tag function (fn`...`)
        using the normal function syntax (fn(...)), which is not supported.

        The functions in the safevalues library are not designed to be called
        like normal functions, and doing so invalidates the security guarantees
        that safevalues provides.

        If you are stuck and not sure how to proceed, please reach out to us
        instead through:
         - https://github.com/google/safevalues/issues

        ############################## ERROR ##############################

      30 |     const appCheckProvider = new ReCaptchaEnterpriseProvider(siteKey);
      31 |
    > 32 |     const appCheck = initializeAppCheck(firebaseApp, {
         |                                        ^
      33 |       provider: appCheckProvider,
      34 |       isTokenAutoRefreshEnabled: true,
      35 |     });

      at assertIsTemplateObject (../../node_modules/.pnpm/safevalues@0.6.0/node_modules/safevalues/dist/cjs/internals/string_literal.js:19:15)
      at Object.trustedResourceUrl (../../node_modules/.pnpm/safevalues@0.6.0/node_modules/safevalues/dist/cjs/builders/resource_url_builders.js:162:56)
      at trustedResourceUrl (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/recaptcha.ts:186:5)
      at initializeEnterprise (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/recaptcha.ts:72:5)
      at ReCaptchaEnterpriseProvider.initializeRecaptchaEnterprise [as initialize] (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/providers.ts:209:5)
      at _activate (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/api.ts:160:18)
      at initializeAppCheck (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/api.ts:106:3)
      at src/app-check/app-check.tsx:32:40
      at apply (../utils/src/memo.tsx:41:29)
      at getAppCheckToken (src/app-check/app-check-token.tsx:23:53)
      at Object.<anonymous> (src/app-check/app-check-token.test.tsx:92:36)

@dlarocque
Copy link
Contributor Author

dlarocque commented Jul 22, 2024
edited
Loading

Hi team, we are upgrading Firebase sdk to 10.12.4 and encountered some issues in our unit tests. Could you please help us to resolve them? Thanks

    TypeError: 
        ############################## ERROR ##############################

        It looks like you are trying to call a template tag function (fn`...`)
        using the normal function syntax (fn(...)), which is not supported.

        The functions in the safevalues library are not designed to be called
        like normal functions, and doing so invalidates the security guarantees
        that safevalues provides.

        If you are stuck and not sure how to proceed, please reach out to us
        instead through:
         - https://github.com/google/safevalues/issues

        ############################## ERROR ##############################

      30 |     const appCheckProvider = new ReCaptchaEnterpriseProvider(siteKey);
      31 |
    > 32 |     const appCheck = initializeAppCheck(firebaseApp, {
         |                                        ^
      33 |       provider: appCheckProvider,
      34 |       isTokenAutoRefreshEnabled: true,
      35 |     });

      at assertIsTemplateObject (../../node_modules/.pnpm/safevalues@0.6.0/node_modules/safevalues/dist/cjs/internals/string_literal.js:19:15)
      at Object.trustedResourceUrl (../../node_modules/.pnpm/safevalues@0.6.0/node_modules/safevalues/dist/cjs/builders/resource_url_builders.js:162:56)
      at trustedResourceUrl (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/recaptcha.ts:186:5)
      at initializeEnterprise (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/recaptcha.ts:72:5)
      at ReCaptchaEnterpriseProvider.initializeRecaptchaEnterprise [as initialize] (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/providers.ts:209:5)
      at _activate (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/api.ts:160:18)
      at initializeAppCheck (../../node_modules/.pnpm/@firebase+app-check@0.8.6_@firebase+app@0.10.7/node_modules/@firebase/app-check/src/api.ts:106:3)
      at src/app-check/app-check.tsx:32:40
      at apply (../utils/src/memo.tsx:41:29)
      at getAppCheckToken (src/app-check/app-check-token.tsx:23:53)
      at Object.<anonymous> (src/app-check/app-check-token.test.tsx:92:36)

Hi @nicole0707, sorry that you're suddenly running into issues with this.

I just tried to re-create this error message in my own Firebase web app, but was unsuccessful.
I'd really like to figure out why you're seeing this issue, and reproduce it myself. It would be helpful if you could share:

  • Code snippet of your unit test that raised the error
  • Your environment (any web frameworks, testing frameworks, libraries etc...)
  • Your testing configuration

Also, if you believe this is an issue with Firebase, and not your code, please submit a new issue.

@nicole0707
Copy link

nicole0707 commented Jul 22, 2024
edited
Loading

Hi @dlarocque, FYI we are using the Firebase sdk with Next.js, and the testing framework is Jest. I will look into the issue and try to provide a minimal demo to reproduce it. Thanks!

@delmaass
Copy link

Hello Firebase team, my NextJS project won't build because of an exception that seem related to this update:

./node_modules/firebase/analytics/dist/index.mjs + 51 modules
Cannot get final name for export 'trustedResourceUrl' of ./node_modules/safevalues/dist/mjs/index.js

I am using firebase: ^10.12.4

@delmaass
Copy link

Hello Firebase team, my NextJS project won't build because of an exception that seem related to this update:

./node_modules/firebase/analytics/dist/index.mjs + 51 modules
Cannot get final name for export 'trustedResourceUrl' of ./node_modules/safevalues/dist/mjs/index.js

I am using firebase: ^10.12.4

Downgrading to "firebase": "10.12.3" solved the issue

@dlarocque
Copy link
Contributor Author

Hello Firebase team, my NextJS project won't build because of an exception that seem related to this update:

./node_modules/firebase/analytics/dist/index.mjs + 51 modules
Cannot get final name for export 'trustedResourceUrl' of ./node_modules/safevalues/dist/mjs/index.js

I am using firebase: ^10.12.4

Hi @delmaass, thanks for reporting this. As a sanity check, I upgraded my own Next.js app (It's just the template app with basic Firebase usage) to Firebase 10.12.4, but I was not able to reproduce your issue when building or deploying.
If you believe this is an issue caused by the SDK, could you please submit a new Issue in this repo including more details?

I am worried this might cause issues for a lot of Next.js users, but I haven't been able to reproduce any issues myself.

@dlarocque
Copy link
Contributor Author

@nicole0707
I have been able to reproduce your issue with Jest. If you have any additional info that may help us solve this issue, please mention it in
#8386

tom-andersen pushed a commit that referenced this pull request Jul 24, 2024
@dlarocque @tom-andersen
Use safevalues to fix trusted types issues reported by tsec (#8301)
3600648 
* Use safevalues to fix trusted types issues reported by tsec

* Upgrade to safevalues 0.6.0

* Remove exemptions, and untested usages of safevalues

* Add dependency that was accidentally removed

* Add FIXMEs for tsec violations

* Run formatting

* Compare against full Gtag script in tests

* Check that full reCAPTCHA script URL was assigned to script element

* Replace FIXMEs with TODOs

* Remove auth, rtdb, messaging from changeset
dlarocque added a commit that referenced this pull request Jul 25, 2024
@dlarocque
Revert "Use safevalues to fix trusted types issues reported by tsec (#…
9ddacba 
…8301)"

This reverts commit f58d48c.
dlarocque added a commit that referenced this pull request Jul 26, 2024
@dlarocque
Revert introduction of safevalues (#8395)
a9f8440 
* Revert "Use safevalues to fix trusted types issues reported by tsec (#8301)"

This reverts commit f58d48c.

* Add Changeset
@dlarocque
Copy link
Contributor Author

Hi @dlarocque, FYI we are using the Firebase sdk with Next.js, and the testing framework is Jest. I will look into the issue and try to provide a minimal demo to reproduce it. Thanks!

Hi @nicole0707, this should be fixed in the next release which will be out by the end of the week.

For more information, see #8395

@nicole0707
Copy link

nicole0707 commented Aug 5, 2024
edited
Loading

Hi @dlarocque, FYI we are using the Firebase sdk with Next.js, and the testing framework is Jest. I will look into the issue and try to provide a minimal demo to reproduce it. Thanks!

Hi @nicole0707, this should be fixed in the next release which will be out by the end of the week.

For more information, see #8395

Thanks @dlarocque, I just checked the issue has been fixed in 10.12.5.

@firebase firebase locked and limited conversation to collaborators Aug 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@hsubox76 hsubox76 hsubox76 approved these changes

@avolkovi avolkovi Awaiting requested review from avolkovi

@sam-gc sam-gc Awaiting requested review from sam-gc

@yuchenshi yuchenshi Awaiting requested review from yuchenshi

@lisajian lisajian Awaiting requested review from lisajian

@Xiaoshouzi-gh Xiaoshouzi-gh Awaiting requested review from Xiaoshouzi-gh

@zwu52 zwu52 Awaiting requested review from zwu52

@maneesht maneesht Awaiting requested review from maneesht

@aashishpatil-g aashishpatil-g Awaiting requested review from aashishpatil-g

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@dlarocque @google-oss-bot @nicole0707 @delmaass @hsubox76