Skip to content

Audit of classes in firebase app distribution to minimize user access #3196

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 19 commits into from
Dec 10, 2021
Merged

Audit of classes in firebase app distribution to minimize user access #3196

merged 19 commits into from
Dec 10, 2021

Conversation

manny-jimenez
Copy link
Contributor

No description provided.

@google-cla google-cla bot added the cla: yes Override cla label Dec 1, 2021
@google-oss-bot
Copy link
Contributor

google-oss-bot commented Dec 1, 2021
edited
Loading

Coverage Report

Affected SDKs

No changes between base commit (dd1c336) and head commit (78339c4f).

Test Logs

Notes

HTML coverage reports can be produced locally with ./gradlew <product>:checkCoverage.
Report files are located at <product-build-dir>/reports/jacoco/.

Head commit (78339c4f) is created by Prow via merging commits: dd1c336 34702b3.

@google-oss-bot
Copy link
Contributor

google-oss-bot commented Dec 1, 2021
edited
Loading

Binary Size Report

Affected SDKs

  • firebase-app-distribution

    Type Base (dd1c336) Head (78339c4f) Diff
    aar 117 kB 117 kB +19 B (+0.0%)
    apk (release) 1.55 MB 1.55 MB +20 B (+0.0%)

Test Logs

Notes

Head commit (78339c4f) is created by Prow via merging commits: dd1c336 34702b3.

@firebase firebase deleted a comment from google-oss-bot Dec 5, 2021
@manny-jimenez
Copy link
Contributor Author

/retest

rachaprince
rachaprince reviewed Dec 6, 2021
View reviewed changes
...ution/src/main/java/com/google/firebase/app/distribution/AppDistributionReleaseInternal.java Outdated
@@ -27,7 +27,7 @@
* href="https://github.com/google/auto/tree/master/value">https://github.com/google/auto/tree/master/value</a>
*/
@AutoValue
public abstract class AppDistributionReleaseInternal {
abstract class AppDistributionReleaseInternal {

@NonNull
public static Builder builder() {
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should make the property methods in this class package private. External classes shouldn't need to access this data object

rachaprince
rachaprince reviewed Dec 10, 2021
View reviewed changes
...tribution/src/main/java/com/google/firebase/app/distribution/ReleaseIdentificationUtils.java
@@ -29,7 +29,7 @@
import java.util.zip.ZipEntry;
import java.util.zip.ZipFile;

public final class ReleaseIdentificationUtils {
final class ReleaseIdentificationUtils {
private static final String TAG = "ReleaseIdentification";
private static final int BYTES_IN_LONG = 8;

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the methods in this class should also be package-private

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good call. I thought since the class is package-private it was fine but its better to be consistent.

...pp-distribution/src/main/java/com/google/firebase/app/distribution/SignInResultActivity.java Outdated
@@ -25,6 +25,8 @@
public class SignInResultActivity extends AppCompatActivity {
private static final String TAG = "SignInResultActivity:";

public SignInResultActivity() {}
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need this? Seems like the class is public already, so the default constructor will be public too

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was a left over from trying to make it package-private will remove

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm pretty sure even if the class is marked as public, the constructor won't be public unless it's also marked as such.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

good to know! thanks!

@lfkellogg lfkellogg mentioned this pull request Dec 10, 2021
Closed
lfkellogg
lfkellogg approved these changes Dec 10, 2021
View reviewed changes
Copy link
Contributor

@lfkellogg lfkellogg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

rachaprince
rachaprince approved these changes Dec 10, 2021
View reviewed changes
Copy link

@rachaprince rachaprince left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice work!

@manny-jimenez
Copy link
Contributor Author

/test smoke-tests

@manny-jimenez manny-jimenez merged commit 8bc2ab4 into master Dec 10, 2021
@manny-jimenez manny-jimenez deleted the fad_audit branch December 10, 2021 17:47
@rachaprince
Copy link

Looking at the files generated by api.txt, I have a few questions about the visibility of some classes and methods:

@mannyjimenez0810 do you know if we could reduce the visibility of any of the following?:

  • FirebaseAppDistributionLifeCycleNotifier
  • FirebaseAppDistributionFileProvider
  • UpdateProgress.Builder

(It might be worth doing a search for "public" in the app distribution package to see if there are any others we missed)

@manny-jimenez
Copy link
Contributor Author

@rachaprince Great Question.

FirebaseAppDistributionLifeCycleNotifier
This was an oversight on my part. Will fix in a future PR.

FirebaseAppDistributionFileProvider
I tried making this also package private but I believe due to it being in the manifest I was unable to.
See here

firebase-android-sdk/firebase-app-distribution/src/main/AndroidManifest.xml

Line 49 in 8bc2ab4

android:name="com.google.firebase.app.distribution.FirebaseAppDistributionFileProvider"

I get this exception java.lang.RuntimeException: Unable to get provider com.google.firebase.app.distribution.FirebaseAppDistributionFileProvider: java.lang.IllegalAccessException: java.lang.Class<com.google.firebase.app.distribution.FirebaseAppDistributionFileProvider> is not accessible from java.lang.Class<android.app.AppComponentFactory>

UpdateProgress.Builder
Another good catch. I saw we return UpdateProgress so I didn't look at the methods as carefully as I should have. Will also fix this in an upcoming PR.

Thanks for catching these. Will do a search for public in the package to see if theres other pieces I missed.

@firebase firebase locked and limited conversation to collaborators Jan 10, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@rachaprince rachaprince rachaprince approved these changes

@lfkellogg lfkellogg lfkellogg approved these changes

@pranavrajgopal pranavrajgopal Awaiting requested review from pranavrajgopal

Assignees
No one assigned
Labels
cla: yes Override cla size/M
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@manny-jimenez @google-oss-bot @rachaprince @lfkellogg