-
Notifications
You must be signed in to change notification settings - Fork 27.5k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[macOS] support secure restorable state by default (#151605)
By default, Flutter apps only do default AppKit app serialisation of Window location etc. and by default, state serialisation in AppKit apps is compatible with `NSSecureCoding`. AppKit apps generated since Xcode 13.2 include this method in the app delegate generated by the default app template. Background ========== This method was added to opt into having [de]serialization require a coder implementing the `NSSecureCoding` protocol. Apple wasn't able to force this across the board, because `NSSecureCoding` limits certain behaviours during deserialisation, which some third-party apps have have previously relied on. Specific background on the sorts of vulnerabilities that `NSSecureCoding` was designed to prevent are described in the `NSSecureCoding` documentation: https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc A demonstration of a root privilege escalation and SIP bypass vulnerability is described in the following blog post: https://sector7.computest.nl/post/2022-08-process-injection-breaking-all-macos-security-layers-with-a-single-vulnerability/ Fixes: #150062 ## Pre-launch Checklist - [X] I read the [Contributor Guide] and followed the process outlined there for submitting PRs. - [X] I read the [Tree Hygiene] wiki page, which explains my responsibilities. - [X] I read and followed the [Flutter Style Guide], including [Features we expect every widget to implement]. - [X] I signed the [CLA]. - [X] I listed at least one issue that this PR fixes in the description above. - [X] I updated/added relevant documentation (doc comments with `///`). - [ ] I added new tests to check the change I am making, or this PR is [test-exempt]. - [X] I followed the [breaking change policy] and added [Data Driven Fixes] where supported. - [X] All existing and new tests are passing. If you need help, consider asking for advice on the #hackers-new channel on [Discord]. <!-- Links --> [Contributor Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#overview [Tree Hygiene]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md [test-exempt]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#tests [Flutter Style Guide]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md [Features we expect every widget to implement]: https://github.com/flutter/flutter/blob/main/docs/contributing/Style-guide-for-Flutter-repo.md#features-we-expect-every-widget-to-implement [CLA]: https://cla.developers.google.com/ [flutter/tests]: https://github.com/flutter/tests [breaking change policy]: https://github.com/flutter/flutter/blob/main/docs/contributing/Tree-hygiene.md#handling-breaking-changes [Discord]: https://github.com/flutter/flutter/blob/main/docs/contributing/Chat.md [Data Driven Fixes]: https://github.com/flutter/flutter/blob/main/docs/contributing/Data-driven-Fixes.md
- Loading branch information
Showing
19 changed files
with
309 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
88 changes: 88 additions & 0 deletions
88
packages/flutter_tools/lib/src/macos/migrations/secure_restorable_state_migration.dart
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,88 @@ | ||
| // Copyright 2014 The Flutter Authors. All rights reserved. | ||
| // Use of this source code is governed by a BSD-style license that can be | ||
| // found in the LICENSE file. | ||
|
|
||
| import '../../base/file_system.dart'; | ||
| import '../../base/project_migrator.dart'; | ||
| import '../../xcode_project.dart'; | ||
|
|
||
| const String _appDelegateFileBefore = r''' | ||
| class AppDelegate: FlutterAppDelegate { | ||
| override func applicationShouldTerminateAfterLastWindowClosed(_ sender: NSApplication) -> Bool { | ||
| return true | ||
| } | ||
| }'''; | ||
|
|
||
| const String _appDelegateFileAfter = r''' | ||
| class AppDelegate: FlutterAppDelegate { | ||
| override func applicationShouldTerminateAfterLastWindowClosed(_ sender: NSApplication) -> Bool { | ||
| return true | ||
| } | ||
| override func applicationSupportsSecureRestorableState(_ app: NSApplication) -> Bool { | ||
| return true | ||
| } | ||
| }'''; | ||
|
|
||
| /// Add `applicationSupportsSecureRestorableState` if not already present. | ||
| /// | ||
| /// In all new AppKit apps since Xcode 13.2, the AppDelegate template includes | ||
| /// this method, which opts in to requiring safe deserialization via the | ||
| /// `NSSecureCoding` protocol. Because this required new API, existing apps | ||
| /// need to opt in to this behavior. | ||
| /// | ||
| /// Since nearly all Flutter macOS apps will be doing serialization of Flutter | ||
| /// state via Dart code, it's a very safe bet that the vast majority of | ||
| /// existing Flutter apps can safely enable this flag. The few apps that | ||
| /// are doing serialization via older insecure APIs can update the migrated | ||
| /// code to return false. | ||
| /// | ||
| /// See: | ||
| /// https://developer.apple.com/documentation/foundation/nssecurecoding?language=objc | ||
| class SecureRestorableStateMigration extends ProjectMigrator { | ||
| SecureRestorableStateMigration( | ||
| MacOSProject project, | ||
| super.logger, | ||
| ) : _appDelegateSwift = project.appDelegateSwift; | ||
|
|
||
| final File _appDelegateSwift; | ||
|
|
||
| @override | ||
| Future<void> migrate() async { | ||
| // Skip this migration if the project uses Objective-C. | ||
| if (!_appDelegateSwift.existsSync()) { | ||
| logger.printTrace( | ||
| 'macos/Runner/AppDelegate.swift not found. Skipping applicationSupportsSecureRestorableState migration.' | ||
| ); | ||
| return; | ||
| } | ||
| final String original = _appDelegateSwift.readAsStringSync(); | ||
|
|
||
| // If we have an AppDelegate.swift, but can't migrate, log a warning. | ||
| if (!original.contains(_appDelegateFileBefore)) { | ||
| if (original.contains('applicationSupportsSecureRestorableState')) { | ||
| // User has already overridden this method. Exit quietly. | ||
| return; | ||
| } | ||
|
|
||
| logger.printWarning(''' | ||
| macos/Runner/AppDelegate.swift has been modified and cannot be automatically migrated. | ||
| We recommend developers override applicationSupportsSecureRestorableState in AppDelegate.swift as follows: | ||
| override func applicationSupportsSecureRestorableState(_ app: NSApplication) -> Bool { | ||
| return true | ||
| } | ||
| '''); | ||
| } | ||
|
|
||
| // Migrate the macos/Runner/AppDelegate.swift file. | ||
| final String migrated = original.replaceFirst(_appDelegateFileBefore, _appDelegateFileAfter); | ||
| if (original == migrated) { | ||
| return; | ||
| } | ||
|
|
||
| logger.printWarning( | ||
| 'macos/Runner/AppDelegate.swift does not override applicationSupportsSecureRestorableState. Updating.' | ||
| ); | ||
| _appDelegateSwift.writeAsStringSync(migrated); | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.