Merge master into release

firebase · Jul 16, 2024 · 161c122 · 161c122
2 parents 52f8deb + fd8bd4b
commit 161c122
Show file tree

Hide file tree

Showing 28 changed files with 203 additions and 147 deletions.
diff --git a/.changeset/chilly-plums-burn.md b/.changeset/chilly-plums-burn.md
@@ -0,0 +1,5 @@
+---
+'@firebase/rules-unit-testing': patch
+---
+
+Upgrade firebase-admin to 11.11.1
diff --git a/.changeset/happy-trees-battle.md b/.changeset/happy-trees-battle.md
@@ -0,0 +1,6 @@
+---
+'@firebase/analytics': patch
+'@firebase/app-check': patch
+---
+
+Begin using [safevalues](https://github.com/google/safevalues) to sanitize HTML vulnerable to XSS.
diff --git a/.github/workflows/check-vertexai-responses.yml b/.github/workflows/check-vertexai-responses.yml
@@ -0,0 +1,54 @@
+# Copyright 2024 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Check Vertex AI Responses
+
+on: pull_request
+
+jobs:
+  check-version:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v4
+    - name: Clone mock responses
+      run: scripts/update_vertexai_responses.sh
+    - name: Find cloned and latest versions
+      run: |
+        CLONED=$(git describe --tags)
+        LATEST=$(git tag --sort=v:refname | tail -n1)
+        echo "cloned_tag=$CLONED" >> $GITHUB_ENV
+        echo "latest_tag=$LATEST" >> $GITHUB_ENV
+      working-directory: packages/vertexai/test-utils/vertexai-sdk-test-data
+    - name: Find comment from previous run if exists
+      uses: peter-evans/find-comment@3eae4d37986fb5a8592848f6a574fdf654e61f9e
+      id: fc
+      with:
+        issue-number: ${{github.event.number}}
+        body-includes: Vertex AI Mock Responses Check
+    - name: Comment on PR if newer version is available
+      if: ${{env.cloned_tag != env.latest_tag && !steps.fc.outputs.comment-id}}
+      uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043
+      with:
+        issue-number: ${{github.event.number}}
+        body: >
+          ### Vertex AI Mock Responses Check :warning:
+          
+          A newer major version of the mock responses for Vertex AI unit tests is available.
+          [update_vertexai_responses.sh](https://github.com/firebase/firebase-js-sdk/blob/main/scripts/update_vertexai_responses.sh)
+          should be updated to clone the latest version of the responses: `${{env.latest_tag}}`
+    - name: Delete comment when version gets updated
+      if: ${{env.cloned_tag == env.latest_tag && steps.fc.outputs.comment-id}}
+      uses: detomarco/delete-comment@850734dd44d8b15fef55b45252613b903ceb06f0
+      with:
+        comment-id: ${{ steps.fc.outputs.comment-id }}
diff --git a/.github/workflows/health-metrics-pull-request.yml b/.github/workflows/health-metrics-pull-request.yml
@@ -45,7 +45,7 @@ jobs:
       - uses: 'google-github-actions/auth@v0'
         with:
           credentials_json: '${{ secrets.GCP_SA_KEY }}'
-      - uses: google-github-actions/setup-gcloud@v0
+      - uses: google-github-actions/setup-gcloud@v2
       - run: yarn install
       - run: yarn build
       - name: Run health-metrics/binary-size test
@@ -62,7 +62,7 @@ jobs:
       - uses: 'google-github-actions/auth@v0'
         with:
           credentials_json: '${{ secrets.GCP_SA_KEY }}'
-      - uses: google-github-actions/setup-gcloud@v0
+      - uses: google-github-actions/setup-gcloud@v2
       - run: yarn install
       - run: yarn build
       - name: Run health-metrics/modular-exports-binary-size test

diff --git a/.github/workflows/health-metrics-release.yml b/.github/workflows/health-metrics-release.yml
@@ -26,7 +26,7 @@ jobs:
       - uses: 'google-github-actions/auth@v0'
         with:
           credentials_json: '${{ secrets.GCP_SA_KEY }}'
-      - uses: google-github-actions/setup-gcloud@v0
+      - uses: google-github-actions/setup-gcloud@v2
       - uses: FirebaseExtended/github-actions/health-metrics/release-diffing@master
         with:
           repo: ${{ github.repository }}

diff --git a/.github/workflows/test-all.yml b/.github/workflows/test-all.yml
@@ -50,6 +50,8 @@ jobs:
         yarn
     - name: yarn build
       run: yarn build
+    - name: Remove git directory
+      run: rm -rf .git
     - name: Archive build
       if: ${{ !cancelled() }}
       run: |

diff --git a/packages/analytics/package.json b/packages/analytics/package.json
@@ -45,15 +45,16 @@
     "@firebase/logger": "0.4.2",
     "@firebase/util": "1.9.7",
     "@firebase/component": "0.6.8",
-    "tslib": "^2.1.0"
+    "tslib": "^2.1.0",
+    "safevalues": "0.6.0"
   },
   "license": "Apache-2.0",
   "devDependencies": {
     "@firebase/app": "0.10.6",
-    "rollup": "2.79.1",
     "@rollup/plugin-commonjs": "21.1.0",
     "@rollup/plugin-json": "4.1.0",
     "@rollup/plugin-node-resolve": "13.3.0",
+    "rollup": "2.79.1",
     "rollup-plugin-typescript2": "0.31.2",
     "typescript": "4.7.4"
   },

diff --git a/packages/analytics/src/helpers.test.ts b/packages/analytics/src/helpers.test.ts
@@ -24,16 +24,12 @@ import {
   insertScriptTag,
   wrapOrCreateGtag,
   findGtagScriptOnPage,
-  promiseAllSettled,
-  createGtagTrustedTypesScriptURL,
-  createTrustedTypesPolicy
+  promiseAllSettled
 } from './helpers';
-import { GtagCommand, GTAG_URL } from './constants';
+import { GtagCommand } from './constants';
 import { Deferred } from '@firebase/util';
 import { ConsentSettings } from './public-types';
 import { removeGtagScripts } from '../testing/gtag-script-util';
-import { logger } from './logger';
-import { AnalyticsError, ERROR_FACTORY } from './errors';
 
 const fakeMeasurementId = 'abcd-efgh-ijkl';
 const fakeAppId = 'my-test-app-1234';
@@ -50,71 +46,6 @@ const fakeDynamicConfig: DynamicConfig = {
 };
 const fakeDynamicConfigPromises = [Promise.resolve(fakeDynamicConfig)];
 
-describe('Trusted Types policies and functions', () => {
-  if (window.trustedTypes) {
-    describe('Trusted types exists', () => {
-      let ttStub: SinonStub;
-
-      beforeEach(() => {
-        ttStub = stub(
-          window.trustedTypes as TrustedTypePolicyFactory,
-          'createPolicy'
-        ).returns({
-          createScriptURL: (s: string) => s
-        } as any);
-      });
-
-      afterEach(() => {
-        removeGtagScripts();
-        ttStub.restore();
-      });
-
-      it('Verify trustedTypes is called if the API is available', () => {
-        const trustedTypesPolicy = createTrustedTypesPolicy(
-          'firebase-js-sdk-policy',
-          {
-            createScriptURL: createGtagTrustedTypesScriptURL
-          }
-        );
-
-        expect(ttStub).to.be.called;
-        expect(trustedTypesPolicy).not.to.be.undefined;
-      });
-
-      it('createGtagTrustedTypesScriptURL verifies gtag URL base exists when a URL is provided', () => {
-        expect(createGtagTrustedTypesScriptURL(GTAG_URL)).to.equal(GTAG_URL);
-      });
-
-      it('createGtagTrustedTypesScriptURL rejects URLs with non-gtag base', () => {
-        const NON_GTAG_URL = 'http://iamnotgtag.com';
-        const loggerWarnStub = stub(logger, 'warn');
-        const errorMessage = ERROR_FACTORY.create(
-          AnalyticsError.INVALID_GTAG_RESOURCE,
-          {
-            gtagURL: NON_GTAG_URL
-          }
-        ).message;
-
-        expect(createGtagTrustedTypesScriptURL(NON_GTAG_URL)).to.equal('');
-        expect(loggerWarnStub).to.be.calledWith(errorMessage);
-      });
-    });
-  }
-  describe('Trusted types does not exist', () => {
-    it('Verify trustedTypes functions are not called if the API is not available', () => {
-      delete window.trustedTypes;
-      const trustedTypesPolicy = createTrustedTypesPolicy(
-        'firebase-js-sdk-policy',
-        {
-          createScriptURL: createGtagTrustedTypesScriptURL
-        }
-      );
-
-      expect(trustedTypesPolicy).to.be.undefined;
-    });
-  });
-});
-
 describe('Gtag wrapping functions', () => {
   afterEach(() => {
     removeGtagScripts();
@@ -136,8 +67,9 @@ describe('Gtag wrapping functions', () => {
     insertScriptTag(customDataLayerName, fakeMeasurementId);
     const scriptTag = findGtagScriptOnPage(customDataLayerName);
     expect(scriptTag).to.not.be.null;
-    expect(scriptTag!.src).to.contain(`l=customDataLayerName`);
-    expect(scriptTag!.src).to.contain(`id=${fakeMeasurementId}`);
+    expect(scriptTag!.src).to.equal(
+      `https://www.googletagmanager.com/gtag/js?l=${customDataLayerName}&id=${fakeMeasurementId}`
+    );
   });
 
   // The test above essentially already touches this functionality but it is still valuable

diff --git a/packages/analytics/src/helpers.ts b/packages/analytics/src/helpers.ts
@@ -24,25 +24,12 @@ import {
 import { DynamicConfig, DataLayer, Gtag, MinimalDynamicConfig } from './types';
 import { GtagCommand, GTAG_URL } from './constants';
 import { logger } from './logger';
-import { AnalyticsError, ERROR_FACTORY } from './errors';
+import { trustedResourceUrl } from 'safevalues';
+import { safeScriptEl } from 'safevalues/dom';
 
 // Possible parameter types for gtag 'event' and 'config' commands
 type GtagConfigOrEventParams = ControlParams & EventParams & CustomParams;
 
-/**
- * Verifies and creates a TrustedScriptURL.
- */
-export function createGtagTrustedTypesScriptURL(url: string): string {
-  if (!url.startsWith(GTAG_URL)) {
-    const err = ERROR_FACTORY.create(AnalyticsError.INVALID_GTAG_RESOURCE, {
-      gtagURL: url
-    });
-    logger.warn(err.message);
-    return '';
-  }
-  return url;
-}
-
 /**
  * Makeshift polyfill for Promise.allSettled(). Resolves when all promises
  * have either resolved or rejected.
@@ -55,29 +42,6 @@ export function promiseAllSettled<T>(
   return Promise.all(promises.map(promise => promise.catch(e => e)));
 }
 
-/**
- * Creates a TrustedTypePolicy object that implements the rules passed as policyOptions.
- *
- * @param policyName A string containing the name of the policy
- * @param policyOptions Object containing implementations of instance methods for TrustedTypesPolicy, see {@link https://developer.mozilla.org/en-US/docs/Web/API/TrustedTypePolicy#instance_methods
- * | the TrustedTypePolicy reference documentation}.
- */
-export function createTrustedTypesPolicy(
-  policyName: string,
-  policyOptions: Partial<TrustedTypePolicyOptions>
-): Partial<TrustedTypePolicy> | undefined {
-  // Create a TrustedTypes policy that we can use for updating src
-  // properties
-  let trustedTypesPolicy: Partial<TrustedTypePolicy> | undefined;
-  if (window.trustedTypes) {
-    trustedTypesPolicy = window.trustedTypes.createPolicy(
-      policyName,
-      policyOptions
-    );
-  }
-  return trustedTypesPolicy;
-}
-
 /**
  * Inserts gtag script tag into the page to asynchronously download gtag.
  * @param dataLayerName Name of datalayer (most often the default, "_dataLayer").
@@ -86,21 +50,17 @@ export function insertScriptTag(
   dataLayerName: string,
   measurementId: string
 ): void {
-  const trustedTypesPolicy = createTrustedTypesPolicy(
-    'firebase-js-sdk-policy',
-    {
-      createScriptURL: createGtagTrustedTypesScriptURL
-    }
-  );
-
   const script = document.createElement('script');
+
   // We are not providing an analyticsId in the URL because it would trigger a `page_view`
   // without fid. We will initialize ga-id using gtag (config) command together with fid.
-
-  const gtagScriptURL = `${GTAG_URL}?l=${dataLayerName}&id=${measurementId}`;
-  (script.src as string | TrustedScriptURL) = trustedTypesPolicy
-    ? (trustedTypesPolicy as TrustedTypePolicy)?.createScriptURL(gtagScriptURL)
-    : gtagScriptURL;
+  //
+  // We also have to ensure the template string before the first expression constitutes a valid URL
+  // start, as this is what the initial validation focuses on. If the template literal begins
+  // directly with an expression (e.g. `${GTAG_SCRIPT_URL}`), the validation fails due to an
+  // empty initial string.
+  const url = trustedResourceUrl`https://www.googletagmanager.com/gtag/js?l=${dataLayerName}&id=${measurementId}`;
+  safeScriptEl.setSrc(script, url);
 
   script.async = true;
   document.head.appendChild(script);

diff --git a/packages/app-check/package.json b/packages/app-check/package.json
@@ -42,6 +42,7 @@
     "@firebase/util": "1.9.7",
     "@firebase/component": "0.6.8",
     "@firebase/logger": "0.4.2",
+    "safevalues": "0.6.0",
     "tslib": "^2.1.0"
   },
   "license": "Apache-2.0",

diff --git a/packages/app-check/src/recaptcha.test.ts b/packages/app-check/src/recaptcha.test.ts
@@ -30,7 +30,9 @@ import {
   initializeV3,
   initializeEnterprise,
   getToken,
-  GreCAPTCHATopLevel
+  GreCAPTCHATopLevel,
+  RECAPTCHA_ENTERPRISE_URL,
+  RECAPTCHA_URL
 } from './recaptcha';
 import * as utils from './util';
 import {
@@ -81,7 +83,9 @@ describe('recaptcha', () => {
 
       expect(findgreCAPTCHAScriptsOnPage().length).to.equal(0);
       await initializeV3(app, FAKE_SITE_KEY);
-      expect(findgreCAPTCHAScriptsOnPage().length).to.equal(1);
+      const greCATPCHAScripts = findgreCAPTCHAScriptsOnPage();
+      expect(greCATPCHAScripts.length).to.equal(1);
+      expect(greCATPCHAScripts[0].src).to.equal(RECAPTCHA_URL);
     });
 
     it('creates invisible widget', async () => {
@@ -128,7 +132,9 @@ describe('recaptcha', () => {
 
       expect(findgreCAPTCHAScriptsOnPage().length).to.equal(0);
       await initializeEnterprise(app, FAKE_SITE_KEY);
-      expect(findgreCAPTCHAScriptsOnPage().length).to.equal(1);
+      const greCAPTCHAScripts = findgreCAPTCHAScriptsOnPage();
+      expect(greCAPTCHAScripts.length).to.equal(1);
+      expect(greCAPTCHAScripts[0].src).to.equal(RECAPTCHA_ENTERPRISE_URL);
     });
 
     it('creates invisible widget', async () => {

diff --git a/packages/app-check/src/recaptcha.ts b/packages/app-check/src/recaptcha.ts
@@ -19,7 +19,12 @@ import { FirebaseApp } from '@firebase/app';
 import { getStateReference } from './state';
 import { Deferred } from '@firebase/util';
 import { getRecaptcha, ensureActivated } from './util';
+import { trustedResourceUrl } from 'safevalues';
+import { safeScriptEl } from 'safevalues/dom';
 
+// Note that these are used for testing. If they are changed, the URLs used in loadReCAPTCHAV3Script
+// and loadReCAPTCHAEnterpriseScript must also be changed. They aren't used to create the URLs
+// since trusted resource URLs must be created using template string literals.
 export const RECAPTCHA_URL = 'https://www.google.com/recaptcha/api.js';
 export const RECAPTCHA_ENTERPRISE_URL =
   'https://www.google.com/recaptcha/enterprise.js';
@@ -166,14 +171,20 @@ function renderInvisibleWidget(
 
 function loadReCAPTCHAV3Script(onload: () => void): void {
   const script = document.createElement('script');
-  script.src = RECAPTCHA_URL;
+  safeScriptEl.setSrc(
+    script,
+    trustedResourceUrl`https://www.google.com/recaptcha/api.js`
+  );
   script.onload = onload;
   document.head.appendChild(script);
 }
 
 function loadReCAPTCHAEnterpriseScript(onload: () => void): void {
   const script = document.createElement('script');
-  script.src = RECAPTCHA_ENTERPRISE_URL;
+  safeScriptEl.setSrc(
+    script,
+    trustedResourceUrl`https://www.google.com/recaptcha/enterprise.js`
+  );
   script.onload = onload;
   document.head.appendChild(script);
 }