safe_app_nodejs dependencies interfere with app dependencies, can modifiy window


#1

@joshuef I have started work on drop in replacement for solid-auth-client and on getting their demo app working in SAFE Browser, I think I’m seeing that the browser already has solid-auth-client as a dependency:

safe-browser-v0.11.2-linux-x64-dev/resources/app.asar/node_modules/solid-auth-client/lib/index.js

I’m aiming to make solid-safe-client a drop in replacement for any Solid app, meaning that it would ‘just work’ on SAFE, but revert to solid-auth-client if run on the web.


UPDATE: Ah, I see, it is a dependency of rdflib and so being pulled in there.

This is tricky because solid-auth-client messes with the window object!

I may be able to handle it, but not nicely:

  • if we assume my solid-safe-client init happens after SAFE Browser solid-auth-client (reasonable I think as I’ll be in the web app), and then I can overwrite those mods with my own
  • but there’s a danger the app might start using the solid-auth-client before I do that - do you think?

The best solution would I think be to prevent the solid-auth-client in SAFE Browser from adulterating window (see here). I’m not sure how easy it would be for you to do that.

Thoughts?

Security: also, do you think this might be a security issue - a dependency of the browser being able to modify the window object?


#2

Morning.

Hmmm. Yes certainly this could be a security issue (one inherent in NPM sadly); though there are steps we could take to sandbox away the APIs running, though that in itself is probably a regression back to managing handles. At least until we have some cleaner/smoother Data APIs available.

That’s certainly something to mull over though aye.


right now i’m wondering if there’s a way to prevent rdflib’s load while not in the experimental mode. (Though nothing springs to mind with out a lot of conditional loading setup that’s probably a rabbit hole to go down).

Good news is down the line, with SAFE RDF apis we’ll be able to drop this dep (and leave RDF handling in js to the app dev’s choice). Though that doesn’t help you right now.

Simplest thing (I think) for you would be to roll a fork of rdflib, removing this window write, as a dependency of the Browser build. That should get you going. (Or perhaps just straight up set your fork as the browser dep? :

To do this:

  • yarn link in the rdflib fork
  • yarn link <project-name-in-package.json> in the browser root. This will replace the node_modules folder with a symlink to your own.

And at the very least we can look into doing the same for a next browser release, if it’s feasible.


#3

Thanks Josh, I think I’m fine for now - my questions are really for longer term.

So the question is if/how to protect window from adulteration by things which SAFE App Nodejs loads and their dependencies? Shall I file an issue on that basis?


#4

Yeh that would be excellent thanks. :+1:


#5

Filed: