Proof of Concept Insights - lockdown() options

[bentobox19]

PoC

https://github.com/LavaMoat/docs/blob/main/react-native-and-ses-lockdown.md

Discussion

The SES function lockdown()is called with the following option:

lockdown({consoleTaming: 'unsafe'});

This option was added after the following report:

This line is (silently, without logs, nor anything) breaking my mobile app: globalThis.console = /** @type {Console} */consoleRecord.console;

From Agoric the following advice

You might try the lockdown option consoleTaming: "unsafe" It will be interesting if that gets you past the issue, though it is unsafe as described on the tin. The purpose of the line is to replace the initial realm’s console with one that can reveal stack traces for any error that gets logged to it.

[leotm]

Can confirm we need this option ^ for general React Native debugging with stacktraces then for error monitoring deps (e.g. Sentry/BugSnag/etc) to capture error stacktraces w sourcemaps to monitor/debug prod

Following up latest RN PoCs

• https://github.com/LavaMoat/docs/issues/11 iOS
• https://github.com/LavaMoat/docs/issues/16 Android

If we add custom error class

class CustomError extends Error {
  constructor(foo = 'bar', ...params) {
    // Pass remaining arguments (including vendor specific ones) to parent constructor
    super(...params);

    // Maintains proper stack trace for where our error was thrown (only available on V8)
    if (Error.captureStackTrace) {
      Error.captureStackTrace(this, CustomError);
    }

    this.name = 'CustomError';
    // Custom debugging information
    this.foo = foo;
    this.date = new Date();
  }
}

and create custom Button to trigger it

          <Button
            title="Click to console.error class CustomError"
            onPress={() => {
              try {
                throw new CustomError('baz', 'bazMessage');
              } catch (e) {
                console.error(e.name); // CustomError
                console.error(e.foo); // baz
                console.error(e.message); // bazMessage
                console.error(e.stack); // stacktrace
              }
            }}
          />

Giving below vanilla RN example

lockdown(); Default 'safe' settings

https://github.com/endojs/endo/blob/master/packages/ses/docs/reference.md#options-quick-reference

consoleTaming Options https://github.com/endojs/endo/blob/master/packages/ses/docs/reference.md#consoletaming-options

Our stacktace is now kaputt ❗ (above) as expected and all we see is CustomError without sanitised props logged followed by additional TypeError from SES attempting to lockdown the console

Whereas lockdown({consoleTaming: 'unsafe'});

We now have our full stacktrace back 🎉 traced to Button.props.onPress and CustomError props logged locally and once again for error monitoring deps (e.g. Sentry/BugSnag/etc) to capture them with sourcemaps to debug production

[leotm]

nb: While we're here, may be worth exploring our full suite of opts

// node_modules/ses/types.d.ts
export interface LockdownOptions {
  regExpTaming?: 'safe' | 'unsafe';
  localeTaming?: 'safe' | 'unsafe';
  consoleTaming?: 'safe' | 'unsafe';
  errorTrapping?: 'platform' | 'exit' | 'abort' | 'report' | 'none';
  unhandledRejectionTrapping?: 'report' | 'none';
  errorTaming?: 'safe' | 'unsafe';
  dateTaming?: 'safe' | 'unsafe'; // deprecated
  mathTaming?: 'safe' | 'unsafe'; // deprecated
  evalTaming?: 'safeEval' | 'unsafeEval' | 'noEval';
  stackFiltering?: 'concise' | 'verbose';
  overrideTaming?: 'moderate' | 'min' | 'severe';
  overrideDebug?: Array<string>;
  domainTaming?: 'safe' | 'unsafe';
}

few mentioned once again in https://github.com/endojs/endo/blob/master/packages/ses/docs/reference.md#options-quick-reference

TBD from remaining metamask-mobile integration