diff --git a/docs/breakingchanges-0.63.md b/docs/breakingchanges-0.63.md deleted file mode 100644 index 5effc36d24b..00000000000 --- a/docs/breakingchanges-0.63.md +++ /dev/null @@ -1,92 +0,0 @@ - -# Breaking changes for 0.63 - -## Managed C# projects -In 0.63 we have deprecated the Microsoft.ReactNative.SharedManaged project in favor of a proper library reference. If you only have cpp projects, no action is needed. If you have a C# app or C# native module, to update your project please perform the following actions: - -### At least one C# project - -1. Update your `.sln` file in the following ways: - 1. Replace the shared project with the regular project: - ```diff - - Project("{D954291E-2A0B-460D-934E-DC6B0785DB48}") = "Microsoft.ReactNative.SharedManaged", "..\..\..\vnext\Microsoft.ReactNative.SharedManaged\Microsoft.ReactNative.SharedManaged.shproj", "{67A1076F-7790-4203-86EA-4402CCB5E782}" - + Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "Microsoft.ReactNative.Managed", "..\node_modules\react-native-windows\Microsoft.ReactNative.Managed\Microsoft.ReactNative.Managed.csproj", "{F2824844-CE15-4242-9420-308923CD76C3}" - ``` - 1. Remove the shared project section of the old project: - ```diff - GlobalSection(SharedMSBuildProjectFiles) = preSolution - - ..\..\..\vnext\Microsoft.ReactNative.SharedManaged\Microsoft.ReactNative. SharedManaged.projitems*{67a1076f-7790-4203-86ea-4402ccb5e782}*SharedItemsImports = 13 - ``` - 1. Insert the configuration section for the new project - ```diff - GlobalSection(ProjectConfigurationPlatforms) = postSolution - + {F2824844-CE15-4242-9420-308923CD76C3}.Debug|ARM.ActiveCfg = Debug|ARM - + {F2824844-CE15-4242-9420-308923CD76C3}.Debug|ARM.Build.0 = Debug|ARM - + {F2824844-CE15-4242-9420-308923CD76C3}.Debug|ARM64.ActiveCfg = Debug|ARM64 - + {F2824844-CE15-4242-9420-308923CD76C3}.Debug|ARM64.Build.0 = Debug|ARM64 - + {F2824844-CE15-4242-9420-308923CD76C3}.Debug|x64.ActiveCfg = Debug|x64 - + {F2824844-CE15-4242-9420-308923CD76C3}.Debug|x64.Build.0 = Debug|x64 - + {F2824844-CE15-4242-9420-308923CD76C3}.Debug|x86.ActiveCfg = Debug|x86 - + {F2824844-CE15-4242-9420-308923CD76C3}.Debug|x86.Build.0 = Debug|x86 - + {F2824844-CE15-4242-9420-308923CD76C3}.Release|ARM.ActiveCfg = Release|ARM - + {F2824844-CE15-4242-9420-308923CD76C3}.Release|ARM.Build.0 = Release|ARM - + {F2824844-CE15-4242-9420-308923CD76C3}.Release|ARM64.ActiveCfg = Release|ARM64 - + {F2824844-CE15-4242-9420-308923CD76C3}.Release|ARM64.Build.0 = Release|ARM64 - + {F2824844-CE15-4242-9420-308923CD76C3}.Release|x64.ActiveCfg = Release|x64 - + {F2824844-CE15-4242-9420-308923CD76C3}.Release|x64.Build.0 = Release|x64 - + {F2824844-CE15-4242-9420-308923CD76C3}.Release|x86.ActiveCfg = Release|x86 - + {F2824844-CE15-4242-9420-308923CD76C3}.Release|x86.Build.0 = Release|x86 - EndGlobalSection - ``` - 1. Update the folder structure in the solution - ```diff - GlobalSection(NestedProjects) = preSolution - - {FCA38F3C-7C73-4C47-BE4E-32F77FA8538D} = {5EA20F54-880A-49F3-99FA-4B3FE54E8AB1} - + {F2824844-CE15-4242-9420-308923CD76C3} = {5EA20F54-880A-49F3-99FA-4B3FE54E8AB1} - EndGlobalSection - ``` -1. Open file `App.xaml.cs` - and ensure that you add a call to register the types in this through Reflection and remove the comment that the main provider handles modules in this project - ```diff - - PackageProviders.Add(new Microsoft.ReactNative.Managed.ReactPackageProvider()); // Includes any modules in this project - + PackageProviders.Add(new Microsoft.ReactNative.Managed.ReactPackageProvider()); - + PackageProviders.Add(new ReflectionReactPackageProvider()); - ``` - - > note: this will change when codegen becomes default -1. Update your App `.csproj` file in the following way (Only if you created the project before 0.62) - 1. Check if has an import for `Microsoft.ReactNative.SharedManaged` - 1. Add the following to the top of your `.csproj` - ```diff - - - + - + $([MSBuild]::GetDirectoryNameOfFileAbove($(MSBuildThisFileDirectory), 'node_modules\react-native-windows\package.json'))\node_modules\react-native-windows\ - + - + - ``` - 1. Add the following to the bottom of your `.csproj` file: - ```diff - + - - ``` - 1. Remove references to `Microsoft.ReactNative` and Xaml: - ```diff - - - - {f7d32bd0-2749-483e-9a0d-1635ef7e3136} - - Microsoft.ReactNative - - - - - - 2.3.191129002 - - - ``` - 1. Remove references to `Microsoft.ReactNative.SharedManaged` - ```diff - - - ``` - 1. Remove imports for bundeling - ```diff - - - - - ``` - diff --git a/docs/security-best-practices.md b/docs/security-best-practices.md deleted file mode 100644 index ec50238d3ad..00000000000 --- a/docs/security-best-practices.md +++ /dev/null @@ -1,503 +0,0 @@ -# Security Best Practices for React Native Windows - -This document outlines security best practices for developing applications with React Native Windows, focusing on secure coding patterns, API usage, and common security pitfalls to avoid. - -## Table of Contents - -- [Secure Development Practices](#secure-development-practices) -- [Native Module Security](#native-module-security) -- [WebView Security](#webview-security) -- [Data Protection](#data-protection) -- [Network Security](#network-security) -- [Common Security Pitfalls](#common-security-pitfalls) - -## Secure Development Practices - -### Input Validation - -Always validate inputs in native modules and JavaScript code: - -```cpp -// Native module input validation example -REACT_METHOD(ProcessUserInput) -void ProcessUserInput(std::string userInput) noexcept { - // Validate input length - if (userInput.length() > MAX_INPUT_LENGTH) { - // Log security event and reject - return; - } - - // Sanitize input - std::string sanitized = SanitizeInput(userInput); - - // Process sanitized input - ProcessSafeInput(sanitized); -} -``` - -```javascript -// JavaScript input validation -function validateUserInput(input) { - if (typeof input !== 'string' || input.length > 1000) { - throw new Error('Invalid input'); - } - - // Remove potentially dangerous characters - return input.replace(/[<>\"'&]/g, ''); -} -``` - -### Memory Management - -Use RAII and smart pointers in native code: - -```cpp -#include - -class SecureNativeModule { -public: - void ProcessData(const std::vector& data) { - // Use smart pointers for automatic cleanup - auto buffer = std::make_unique(data.size()); - - // Process data safely - std::copy(data.begin(), data.end(), buffer.get()); - - // Automatic cleanup when scope exits - } -}; -``` - -### Error Handling - -Implement secure error handling that doesn't leak sensitive information: - -```cpp -REACT_METHOD(SecureOperation) -void SecureOperation(std::string input, ReactPromise promise) noexcept { - try { - auto result = PerformSecureOperation(input); - promise.Resolve(result); - } - catch (const SecurityException& e) { - // Log detailed error internally - LogSecurityEvent(e.what()); - - // Return generic error to client - promise.Reject("Operation failed"); - } - catch (const std::exception& e) { - // Log error and return generic message - LogError(e.what()); - promise.Reject("An error occurred"); - } -} -``` - -## Native Module Security - -### Windows Security API Integration - -Use Windows security APIs through native modules: - -```cpp -#include -#include - -using namespace winrt::Windows::Security::Cryptography; -using namespace winrt::Windows::Storage::Streams; - -REACT_METHOD(GenerateSecureRandom) -void GenerateSecureRandom(int length, ReactPromise promise) noexcept { - try { - // Use Windows cryptographically secure random generation - auto buffer = CryptographicBuffer::GenerateRandom(length); - auto base64 = CryptographicBuffer::EncodeToBase64String(buffer); - - promise.Resolve(winrt::to_string(base64)); - } - catch (...) { - promise.Reject("Failed to generate random data"); - } -} -``` - -### Credential Management - -Implement secure credential handling: - -```cpp -#include - -using namespace winrt::Windows::Security::Credentials; - -REACT_METHOD(StoreCredential) -void StoreCredential(std::string resource, std::string userName, - std::string password, ReactPromise promise) noexcept { - try { - PasswordVault vault; - PasswordCredential credential( - winrt::to_hstring(resource), - winrt::to_hstring(userName), - winrt::to_hstring(password) - ); - - vault.Add(credential); - promise.Resolve(true); - } - catch (...) { - promise.Reject("Failed to store credential"); - } -} -``` - -## WebView Security - -### Secure WebView Configuration - -Configure WebView2 with appropriate security settings: - -```cpp -// WebView2 security configuration -auto webviewOptions = WebView2::CoreWebView2CreationProperties(); -webviewOptions.put_AdditionalBrowserArguments( - L"--disable-web-security=false " - L"--enable-features=msWebView2BrowserHitTesting " - L"--force-effective-connection-type=4g" -); - -// Configure content security -webview.NavigationStarting([](auto&&, auto&& args) { - auto uri = args.Uri(); - - // Validate allowed origins - if (!IsAllowedOrigin(uri)) { - args.Cancel(true); - } -}); -``` - -### Content Security Policy - -Implement Content Security Policy for web content: - -```html - - -``` - -### Origin Validation - -Validate message origins in WebView communication: - -```javascript -// JavaScript side - validate message origin -window.addEventListener('message', (event) => { - // Validate origin - if (event.origin !== 'https://trusted-domain.com') { - return; - } - - // Process trusted message - handleTrustedMessage(event.data); -}); -``` - -```cpp -// Native side - validate WebView messages -webview.WebMessageReceived([](auto&&, auto&& args) { - auto message = args.TryGetWebMessageAsString(); - - // Validate message format and content - if (!IsValidMessage(message)) { - return; - } - - ProcessValidMessage(message); -}); -``` - -## Data Protection - -### Encryption - -Use Windows encryption APIs for sensitive data: - -```cpp -#include - -using namespace winrt::Windows::Security::Cryptography::Core; - -REACT_METHOD(EncryptData) -void EncryptData(std::string plaintext, ReactPromise promise) noexcept { - try { - // Use AES encryption - auto algorithm = SymmetricKeyAlgorithmProvider::OpenAlgorithm( - SymmetricAlgorithmNames::AesGcm()); - - auto key = algorithm.GenerateKey(256 / 8); // 256-bit key - - auto plaintextBuffer = CryptographicBuffer::ConvertStringToBinary( - winrt::to_hstring(plaintext), BinaryStringEncoding::Utf8); - - auto encryptedBuffer = CryptographicEngine::Encrypt( - key, plaintextBuffer, nullptr); - - auto base64 = CryptographicBuffer::EncodeToBase64String(encryptedBuffer); - promise.Resolve(winrt::to_string(base64)); - } - catch (...) { - promise.Reject("Encryption failed"); - } -} -``` - -### Secure Storage - -Implement secure local storage: - -```javascript -import {NativeModules} from 'react-native'; -const {SecureStorage} = NativeModules; - -class SecureDataManager { - static async storeSecureData(key, data) { - try { - // Encrypt data before storage - const encrypted = await SecureStorage.encrypt(JSON.stringify(data)); - await SecureStorage.store(key, encrypted); - } catch (error) { - console.error('Failed to store secure data:', error); - throw error; - } - } - - static async retrieveSecureData(key) { - try { - const encrypted = await SecureStorage.retrieve(key); - if (!encrypted) return null; - - const decrypted = await SecureStorage.decrypt(encrypted); - return JSON.parse(decrypted); - } catch (error) { - console.error('Failed to retrieve secure data:', error); - throw error; - } - } -} -``` - -## Network Security - -### TLS Configuration - -Ensure proper TLS configuration for network requests: - -```javascript -// Use HTTPS for all network requests -const API_BASE_URL = 'https://api.example.com'; - -class SecureNetworking { - static async makeSecureRequest(endpoint, options = {}) { - const url = `${API_BASE_URL}${endpoint}`; - - const secureOptions = { - ...options, - // Ensure HTTPS - method: options.method || 'GET', - headers: { - 'Content-Type': 'application/json', - ...options.headers, - }, - }; - - // Add request validation - if (!url.startsWith('https://')) { - throw new Error('Only HTTPS requests are allowed'); - } - - try { - const response = await fetch(url, secureOptions); - - if (!response.ok) { - throw new Error(`HTTP ${response.status}: ${response.statusText}`); - } - - return await response.json(); - } catch (error) { - console.error('Network request failed:', error); - throw error; - } - } -} -``` - -### Certificate Pinning - -Implement certificate pinning for critical connections: - -```cpp -// Certificate pinning in native module -REACT_METHOD(MakePinnedRequest) -void MakePinnedRequest(std::string url, ReactPromise promise) noexcept { - try { - // Validate certificate against pinned certificate - if (!ValidateCertificatePinning(url)) { - promise.Reject("Certificate pinning validation failed"); - return; - } - - // Make secure request - auto result = MakeSecureHttpRequest(url); - promise.Resolve(result); - } - catch (...) { - promise.Reject("Request failed"); - } -} -``` - -## Common Security Pitfalls - -### Avoid These Patterns - -#### ❌ Insecure Random Number Generation - -```javascript -// Don't use Math.random() for security-sensitive operations -const insecureToken = Math.random().toString(36); -``` - -#### ✅ Use Cryptographically Secure Random - -```javascript -import {NativeModules} from 'react-native'; -const {WindowsSecurity} = NativeModules; - -const secureToken = await WindowsSecurity.generateSecureRandom(32); -``` - -#### ❌ Storing Sensitive Data in Plain Text - -```javascript -// Don't store sensitive data unencrypted -AsyncStorage.setItem('password', plainTextPassword); -``` - -#### ✅ Use Secure Storage - -```javascript -// Use encrypted storage for sensitive data -await SecureDataManager.storeSecureData('credentials', { - username, - password -}); -``` - -#### ❌ Insufficient Input Validation - -```cpp -// Don't trust user input -void ProcessInput(std::string input) { - // Direct usage without validation - DANGEROUS - ExecuteCommand(input); -} -``` - -#### ✅ Comprehensive Input Validation - -```cpp -// Validate and sanitize all inputs -void ProcessInput(std::string input) { - if (!IsValidInput(input)) { - throw SecurityException("Invalid input"); - } - - auto sanitized = SanitizeInput(input); - ExecuteCommand(sanitized); -} -``` - -### Security Testing - -#### Unit Tests for Security Functions - -```cpp -// Test security functions -TEST_CLASS(SecurityTests) { -public: - TEST_METHOD(TestInputValidation) { - // Test with valid input - ASSERT_TRUE(IsValidInput("normal_input")); - - // Test with malicious input - ASSERT_FALSE(IsValidInput("")); - ASSERT_FALSE(IsValidInput("'; DROP TABLE users; --")); - } - - TEST_METHOD(TestEncryption) { - std::string plaintext = "sensitive data"; - auto encrypted = EncryptData(plaintext); - auto decrypted = DecryptData(encrypted); - - ASSERT_EQ(plaintext, decrypted); - ASSERT_NE(plaintext, encrypted); - } -}; -``` - -### Security Monitoring - -#### Logging Security Events - -```cpp -class SecurityLogger { -public: - static void LogSecurityEvent(const std::string& event, - const std::string& details) { - // Log to Windows Event Log - auto eventLog = winrt::Windows::ApplicationModel::Core::CoreApplication::MainView() - .CoreWindow().Dispatcher(); - - // Log security events for monitoring - OutputDebugStringA(("SECURITY: " + event + " - " + details).c_str()); - } -}; -``` - -## Security Checklist - -### Development Phase - -- [ ] Input validation implemented for all user inputs -- [ ] Memory management uses RAII and smart pointers -- [ ] Error handling doesn't leak sensitive information -- [ ] Cryptographically secure random number generation -- [ ] Sensitive data encrypted before storage - -### Testing Phase - -- [ ] Security unit tests implemented -- [ ] Input validation tests with malicious inputs -- [ ] Encryption/decryption functionality tested -- [ ] Certificate validation tested -- [ ] WebView security configuration validated - -### Deployment Phase - -- [ ] HTTPS enforced for all network communications -- [ ] Certificate pinning implemented for critical services -- [ ] Content Security Policy configured for WebViews -- [ ] Sensitive information removed from production builds -- [ ] Security logging and monitoring enabled - ---- - -**Document Version**: 1.0 -**Last Updated**: October 14, 2025 -**Related**: [Security Configuration Guide](security-configuration.md) diff --git a/docs/security-configuration.md b/docs/security-configuration.md deleted file mode 100644 index 56add17c7ac..00000000000 --- a/docs/security-configuration.md +++ /dev/null @@ -1,360 +0,0 @@ -# Security Configuration Guide - -This document provides comprehensive security configuration guidance for React Native Windows development, covering build-time security settings, runtime configurations, and security best practices for SDL compliance. - -## Table of Contents - -- [Build Security Configuration](#build-security-configuration) -- [Runtime Security Configuration](#runtime-security-configuration) -- [Security Features and APIs](#security-features-and-apis) -- [Development Security Best Practices](#development-security-best-practices) -- [Security Testing](#security-testing) -- [SDL Compliance](#sdl-compliance) - -## Build Security Configuration - -### MSBuild Security Settings - -React Native Windows incorporates comprehensive security configurations through MSBuild property sheets in `vnext/PropertySheets/`. - -#### Core Security Flags - -The `React.Cpp.props` file enables essential security mitigations: - -```xml - - - - Guard - - - Spectre - - - ProgramDatabase - - - false - - -``` - -#### SDL Compiler Warnings - -The `Warnings.props` file enforces SDL-compliant warning levels: - -```xml - - - - true - - - Level4 - - - /permissive- %(AdditionalOptions) - - -``` - -#### SDL Mandatory Warnings - -React Native Windows enables SDL mandatory warnings (configured in `PropertySheets/Warnings.props`): - -- **C4287**: Unsigned/negative constant mismatch -- **C4365**: Signed/unsigned mismatch -- **C4388**: Signed/unsigned mismatch in comparison -- **C4545**: Expression before comma evaluates to function missing argument list -- **C4546**: Function call before comma missing argument list -- **C4547**: Operator before comma has no effect -- **C4549**: Operator before comma has no effect - -### Security Build Configuration - -#### Directory.Build.props Security Settings - -The root `Directory.Build.props` includes security-focused build configurations: - -- **Symbol Generation**: Enables PDB generation for security analysis -- **Platform Toolset**: Enforces modern, secure compiler versions -- **NuGet Security**: Secure package restore with lock files - -#### Azure DevOps Security Pipeline - -The `.ado/publish.yml` pipeline incorporates: - -1. **Symbol Publishing**: PublishSymbols@2 task for MSRC security response -2. **Security Scanning**: Integrated vulnerability detection -3. **Build Validation**: Security policy enforcement - -## Runtime Security Configuration - -### Platform Security Integration - -React Native Windows leverages Windows platform security: - -#### TLS and Network Security - -- **Platform TLS Enforcement**: Inherits Windows system TLS policies -- **WebView2 Security**: Automatic HTTPS enforcement and certificate validation -- **Secure Network Defaults**: Framework provides secure networking configurations - -#### Certificate Validation - -Certificate validation is handled automatically by the Windows platform: - -```javascript -// Certificate validation works automatically through Windows networking stack -// WebView2 enforces HTTPS and proper certificate validation -// No custom TLS bypass mechanisms are provided -``` - -### WebView Security - -React Native Windows uses WebView2 with comprehensive security controls: - -#### Sandboxing and Isolation - -- **Process Isolation**: WebView2 runs in separate security context -- **Origin Restrictions**: Prevents unauthorized cross-origin access -- **Content Security Policy**: Enforces security boundaries - -#### Security Configuration Example - -```cpp -// WebView2 security settings in Microsoft.ReactNative -webviewEnvironmentOptions.put_AdditionalBrowserArguments( - L"--disable-web-security=false --enable-features=msWebView2BrowserHitTesting" -); -``` - -## Security Features and APIs - -### Windows Security API Integration - -React Native Windows provides secure access to Windows security APIs through native modules: - -#### Cryptography APIs - -```javascript -// Access to Windows.Security.Cryptography through native bridge -import {NativeModules} from 'react-native'; - -// Example: Secure random number generation -const {WindowsSecurity} = NativeModules; -const randomBytes = await WindowsSecurity.generateRandom(32); - -// Example: Hash computation using platform APIs -const hash = await WindowsSecurity.computeHash('SHA256', data); -``` - -#### Credential Management - -```javascript -// Integration with Windows.Security.Credentials -const {WindowsCredentials} = NativeModules; - -// Secure credential storage -await WindowsCredentials.storeCredential({ - resource: 'MyApp', - userName: 'user@example.com', - password: 'securePassword' -}); -``` - -### Code Signature Verification - -React Native Windows implements signature verification for downloaded dependencies in `vnext/Scripts/rnw-dependencies.ps1`: - -```powershell -# Verify digital signature of downloaded files -$signature = Get-AuthenticodeSignature -FilePath $downloadedFile -if ($signature.Status -ne "Valid") { - throw "Invalid signature: File signature verification failed" -} - -# Ensure Microsoft signed content -if ($signature.SignerCertificate.Subject -notlike "*Microsoft*") { - throw "Invalid publisher: File must be signed by Microsoft" -} -``` - -## Development Security Best Practices - -### Secure Coding Guidelines - -#### Input Validation - -- **Validate All Inputs**: Implement comprehensive input validation in native modules -- **Sanitize Data**: Properly escape and sanitize user inputs before processing -- **Bounds Checking**: Ensure array and buffer bounds are validated - -#### Memory Safety - -- **RAII Patterns**: Use Resource Acquisition Is Initialization -- **Smart Pointers**: Prefer `std::unique_ptr` and `std::shared_ptr` over raw pointers -- **Buffer Overflow Protection**: Enabled through `/GS` compiler flag - -#### Error Handling - -- **Secure Error Messages**: Avoid exposing sensitive information in error messages -- **Exception Safety**: Implement proper exception handling with RAII -- **Security Logging**: Ensure logs don't contain sensitive data - -### Dependencies Security - -#### Package Management - -- **Vulnerability Scanning**: Automated scanning in CI/CD pipeline -- **Regular Updates**: Keep dependencies updated to latest secure versions -- **Lock Files**: Use package lock files for reproducible, secure builds - -#### Native Dependencies - -- **Code Signature Verification**: All native dependencies verified during download -- **Trusted Sources**: Download only from official Microsoft and trusted sources -- **Integrity Validation**: Verify checksums and digital signatures - -## Security Testing - -### Static Analysis - -Security testing is integrated into the build process: - -#### Compiler-Based Analysis - -- **Warning as Errors**: All security warnings treated as build failures -- **Static Analysis**: Integrated `/analyze` compiler flag for security analysis -- **Code Analysis**: PREfast security rule enforcement - -#### CI/CD Integration - -```yaml -# Example from .ado/publish.yml -- task: MSBuild@1 - inputs: - solution: 'vnext/Microsoft.ReactNative.sln' - msbuildArguments: '/p:RunCodeAnalysis=true /p:TreatWarningsAsErrors=true' -``` - -### Dynamic Testing - -#### Security Testing Framework - -- **Unit Tests**: Security-focused unit testing -- **Integration Tests**: Security boundary validation -- **Penetration Testing**: Regular security assessments - -## SDL Compliance - -React Native Windows maintains compliance with Microsoft Security Development Lifecycle requirements: - -### SDL Requirements Status - -#### ✅ Compiler Requirements (Policy: Microsoft.Security.CE.10019) - -- **Azure DevOps CI/CD**: Security-enabled build pipelines -- **MSBuild Security Flags**: Control Flow Guard, Spectre mitigation enabled -- **Symbol Publishing**: Integrated for Microsoft Security Response Center support -- **Static Analysis**: Security analysis integrated in build process - -#### ✅ TLS Implementation - -- **Platform TLS Enforcement**: Windows system-level TLS policies -- **WebView2 Security**: Automatic HTTPS and certificate validation -- **No Custom TLS Bypass**: Framework uses secure platform defaults - -#### ✅ Secret & Storage Management - -- **Windows.Security.Cryptography**: Platform cryptography API access -- **PasswordVault Integration**: Secure credential storage through Windows APIs -- **Enterprise Credential Support**: Windows enterprise credential integration - -#### ✅ Web Content Security - -- **WebView2 Sandboxing**: Proper content isolation and security boundaries -- **Content Security Policy**: Security policy enforcement -- **Origin Restrictions**: Prevents unauthorized cross-origin access - -#### ✅ Code Signature Verification (Policy: Microsoft.Security.CE.10121) - -- **Download Verification**: All downloads verified with digital signatures -- **Microsoft Publisher Validation**: Ensures content is Microsoft-signed -- **Integrity Checking**: Cryptographic integrity validation - -### Compliance Documentation - -Security compliance is documented through: - -1. **Evidence Collection**: Comprehensive security implementation documentation -2. **Risk Assessment**: Regular security risk evaluations -3. **Compliance Verification**: Systematic SDL requirement validation -4. **Security Attestation**: Formal security approval processes - -### Security Review Process - -#### Code Review Requirements - -1. **Security-Focused Reviews**: All security-sensitive code changes require security review -2. **Architecture Reviews**: Major changes undergo security architecture review -3. **Threat Modeling**: New features require threat modeling analysis -4. **Security Sign-off**: Security team approval for security-critical changes - -## Security Configuration Checklist - -### Build Configuration - -- [ ] Control Flow Guard enabled in `React.Cpp.props` -- [ ] Spectre mitigation enabled in `React.Cpp.props` -- [ ] Warnings as errors configured in `Warnings.props` -- [ ] SDL mandatory warnings enabled -- [ ] Symbol generation enabled for security analysis - -### Runtime Configuration - -- [ ] Platform TLS enforcement verified -- [ ] WebView2 security settings validated -- [ ] Certificate validation working properly -- [ ] Secure credential storage configured - -### Development Process - -- [ ] Security code reviews implemented -- [ ] Static analysis tools integrated in CI/CD -- [ ] Vulnerability scanning automated -- [ ] Security testing in build pipeline - -### Dependencies - -- [ ] Package vulnerability scanning enabled -- [ ] Code signature verification implemented in `rnw-dependencies.ps1` -- [ ] Trusted source validation configured -- [ ] Regular security updates scheduled - -## Additional Resources - -### Security Documentation - -- [Microsoft Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl) -- [Windows UWP Security Docs](https://learn.microsoft.com/en-us/windows/uwp/security/) -- [WebView2 Security Guide](https://learn.microsoft.com/en-us/microsoft-edge/webview2/concepts/security) - -### React Native Windows Security Implementation - -- **MSBuild Configuration**: See `vnext/PropertySheets/` for security build settings -- **Security APIs**: See `vnext/Microsoft.ReactNative/Modules/` for Windows security API usage -- **CI/CD Security**: See `.ado/` directory for security pipeline configurations -- **Dependency Security**: See `vnext/Scripts/rnw-dependencies.ps1` for signature verification - -### Support and Contacts - -- **Security Issues**: Report security vulnerabilities to Microsoft Security Response Center (MSRC) -- **SDL Compliance**: Contact React Native Windows security team for compliance questions -- **Architecture Reviews**: Engage security architects for design reviews - ---- - -**Document Version**: 1.0 -**Last Updated**: October 14, 2025 -**SDL Compliance**: Microsoft.Security.CE.10119, Microsoft.Security.CE.10019, Microsoft.Security.CE.10121 diff --git a/docs/security-process.md b/docs/security-process.md deleted file mode 100644 index 1fb7c120598..00000000000 --- a/docs/security-process.md +++ /dev/null @@ -1,375 +0,0 @@ -# Security Review Process - -This document outlines the security review process for React Native Windows development, including security milestones, review procedures, and compliance verification. - -## Overview - -React Native Windows follows Microsoft Security Development Lifecycle (SDL) requirements for continuous security assurance. This process ensures all code changes undergo appropriate security review and validation. - -## Security Review Requirements - -### Code Review Security Gates - -All code changes must pass security review gates based on change classification: - -#### 1. Standard Code Changes - -- **Security Impact Assessment**: Automated security impact analysis -- **Peer Review**: Security-aware code review by team members -- **Static Analysis**: Automated security scanning in CI/CD pipeline -- **Approval Required**: Standard approval from code reviewers - -#### 2. Security-Sensitive Changes - -Changes that require enhanced security review: - -- Native module modifications accessing Windows security APIs -- WebView security configuration changes -- Cryptographic implementation changes -- Network security configuration modifications -- Build system security changes - -**Enhanced Review Process:** - -- **Security Architecture Review**: Security team review for design changes -- **Threat Modeling**: Analysis of security implications -- **Security Testing**: Additional security-focused testing requirements -- **Security Approval**: Explicit security team sign-off required - -#### 3. Critical Security Changes - -Changes with high security impact: - -- Authentication/authorization system changes -- Core security API modifications -- Security policy implementations -- Compliance-related changes - -**Critical Review Process:** - -- **Security Design Review**: Formal security architecture review -- **Comprehensive Threat Modeling**: Full threat analysis and mitigation planning -- **Security Testing**: Comprehensive security testing including penetration testing -- **Security Lead Approval**: Security lead approval required -- **Documentation**: Updated security documentation and compliance evidence - -### Security Milestone Requirements - -Security milestones are integrated into the development lifecycle: - -#### Design Phase - -- [ ] **Threat Model Created**: Comprehensive threat modeling for new features -- [ ] **Security Requirements Defined**: Clear security requirements documented -- [ ] **Security Architecture Review**: Security team review of design -- [ ] **Privacy Impact Assessment**: Privacy implications analyzed - -#### Implementation Phase - -- [ ] **Secure Coding Standards**: SDL coding standards followed -- [ ] **Security API Usage**: Proper use of Windows security APIs -- [ ] **Input Validation**: Comprehensive input validation implemented -- [ ] **Error Handling**: Secure error handling patterns implemented - -#### Testing Phase - -- [ ] **Security Unit Tests**: Security-focused unit tests implemented -- [ ] **Static Analysis Clean**: No security warnings in static analysis -- [ ] **Dynamic Security Testing**: Security testing passed -- [ ] **Vulnerability Assessment**: Security vulnerability scanning completed - -#### Release Phase - -- [ ] **Security Documentation**: Security documentation updated -- [ ] **Compliance Verification**: SDL compliance requirements verified -- [ ] **Security Sign-off**: Security team approval obtained -- [ ] **Incident Response Plan**: Security incident response procedures validated - -## Security Testing Requirements - -### Automated Security Testing - -Integrated security testing in CI/CD pipeline: - -#### Static Analysis - -```yaml -# Security static analysis in Azure DevOps pipeline -- task: MSBuild@1 - displayName: 'Build with Security Analysis' - inputs: - solution: 'vnext/Microsoft.ReactNative.sln' - msbuildArguments: > - /p:RunCodeAnalysis=true - /p:TreatWarningsAsErrors=true - /p:EnableSDLRecommendedRules=true -``` - -#### Security Scanning - -```yaml -# Vulnerability scanning -- task: ComponentGovernanceComponentDetection@0 - displayName: 'Component Detection' - inputs: - scanType: 'Register' - verbosity: 'Verbose' - alertWarningLevel: 'High' -``` - -### Manual Security Testing - -#### Security Test Cases - -1. **Input Validation Testing** - - Malicious input injection testing - - Boundary condition testing - - Format string vulnerability testing - -2. **Authentication Testing** - - Credential storage security testing - - Authentication bypass testing - - Session management testing - -3. **WebView Security Testing** - - Cross-site scripting (XSS) testing - - Content Security Policy validation - - Origin validation testing - -4. **Cryptography Testing** - - Encryption/decryption validation - - Key management testing - - Random number generation testing - -### Security Testing Documentation - -Security testing results must be documented: - -```markdown -## Security Test Report - -### Test Summary -- **Test Date**: [Date] -- **Test Scope**: [Scope] -- **Tester**: [Name] -- **Test Environment**: [Environment] - -### Test Results -- **Input Validation**: ✅ PASS -- **Authentication**: ✅ PASS -- **WebView Security**: ✅ PASS -- **Cryptography**: ✅ PASS - -### Issues Identified -- None - -### Security Approval -Approved by: [Security Team Member] -Date: [Date] -``` - -## Compliance Verification - -### SDL Compliance Checklist - -Regular verification of SDL compliance requirements: - -#### Build Security Compliance - -- [ ] **Control Flow Guard**: Enabled in build configuration -- [ ] **Spectre Mitigation**: Enabled for all native code -- [ ] **SDL Warnings**: All SDL mandatory warnings enabled as errors -- [ ] **Static Analysis**: Security analysis integrated in build process -- [ ] **Symbol Publishing**: Debug symbols published for security response - -#### Runtime Security Compliance - -- [ ] **TLS Enforcement**: Platform TLS enforcement validated -- [ ] **Certificate Validation**: Proper certificate validation implemented -- [ ] **Secure Storage**: Encrypted storage for sensitive data -- [ ] **WebView Security**: Secure WebView configuration validated - -#### Development Process Compliance - -- [ ] **Security Training**: Team security training completed -- [ ] **Security Reviews**: Security review process followed -- [ ] **Vulnerability Management**: Vulnerability response process established -- [ ] **Incident Response**: Security incident response procedures documented - -### Compliance Attestation Process - -Regular SDL compliance attestation: - -#### Quarterly Compliance Review - -1. **Evidence Collection**: Gather compliance evidence -2. **Gap Analysis**: Identify compliance gaps -3. **Remediation Planning**: Plan remediation for any gaps -4. **Attestation**: Formal compliance attestation - -#### Annual Security Assessment - -1. **Comprehensive Review**: Full security posture assessment -2. **Threat Model Update**: Update threat models -3. **Security Architecture Review**: Review security architecture -4. **Compliance Certification**: Annual compliance certification - -## Security Incident Response - -### Incident Classification - -Security incidents are classified by severity: - -#### Critical (P0) - -- Active exploitation of security vulnerability -- Data breach or exposure of sensitive information -- Complete system compromise - -**Response Time**: 2 hours -**Response Team**: Security lead, engineering lead, product manager - -#### High (P1) - -- Security vulnerability with high impact -- Potential for data exposure -- Security control bypass - -**Response Time**: 24 hours -**Response Team**: Security team member, engineering team - -#### Medium (P2) - -- Security vulnerability with medium impact -- Security policy violation -- Configuration issue with security implications - -**Response Time**: 72 hours -**Response Team**: Engineering team with security consultation - -#### Low (P3) - -- Minor security issue -- Security documentation gap -- Low-impact configuration issue - -**Response Time**: 1 week -**Response Team**: Engineering team - -### Incident Response Process - -1. **Detection and Reporting** - - Security monitoring systems - - Internal reporting - - External vulnerability reports - -2. **Initial Response** - - Incident classification - - Initial containment - - Stakeholder notification - -3. **Investigation** - - Root cause analysis - - Impact assessment - - Evidence collection - -4. **Remediation** - - Fix development - - Testing and validation - - Deployment coordination - -5. **Recovery** - - System restoration - - Monitoring enhancement - - Documentation update - -6. **Post-Incident Review** - - Lessons learned analysis - - Process improvement - - Prevention measures - -## Security Documentation Requirements - -### Security Documentation Updates - -Security documentation must be updated for: - -#### New Features - -- Security design documentation -- Threat model updates -- Security testing documentation -- User security guidance - -#### Security Changes - -- Security configuration updates -- API security documentation -- Security best practices updates -- Compliance documentation updates - -### Documentation Review Process - -1. **Technical Review**: Technical accuracy validation -2. **Security Review**: Security team review -3. **Compliance Review**: Compliance requirement validation -4. **Approval**: Final approval and publication - -## Security Training Requirements - -### Required Training - -All team members must complete: - -#### Initial Security Training - -- SDL fundamentals training -- Secure coding training -- Threat modeling training -- Security testing training - -#### Annual Refresher Training - -- Security update training -- New threat awareness training -- Compliance update training -- Incident response training - -### Role-Specific Training - -#### Developers - -- Secure coding practices -- Security API usage -- Vulnerability prevention -- Security testing techniques - -#### Security Team - -- Advanced threat modeling -- Security architecture -- Incident response -- Compliance management - -## Tools and Resources - -### Security Tools - -- **Static Analysis**: Visual Studio Code Analysis, PREfast -- **Dynamic Analysis**: Application Verifier, Dr. Memory -- **Vulnerability Scanning**: Component Governance, WhiteSource -- **Security Testing**: OWASP ZAP, Burp Suite - -### Documentation Resources - -- [Microsoft Security Development Lifecycle](https://www.microsoft.com/securityengineering/sdl) -- [SDL Process Guidance](https://www.microsoft.com/securityengineering/sdl/practices) -- [OWASP Security Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) -- [NIST Cybersecurity Framework](https://www.nist.gov/cyberframework) - ---- - -**Document Version**: 1.0 -**Last Updated**: October 14, 2025 -**Process Owner**: React Native Windows Security Team -**Related Documents**: [Security Configuration Guide](security-configuration.md), [Security Best Practices](security-best-practices.md) diff --git a/docs/testing-createRnwApp.md b/docs/testing-createRnwApp.md deleted file mode 100644 index fc024415963..00000000000 --- a/docs/testing-createRnwApp.md +++ /dev/null @@ -1,112 +0,0 @@ -# React Native Windows creaternwapp Testing Guide - -This document provides a comprehensive testing guide for validating React Native Windows creaternwapp functionality with both new architecture (Fabric) and old architecture (Paper/UWP). - -## Prerequisites - -1. Windows development environment with Visual Studio -2. Node.js and yarn installed -3. React Native Windows development dependencies -4. RNW_ROOT environment variable set (if using local development) - -## Test Scenarios - -The testing covers both stable and preview versions of React Native Windows: - -- **Stable Version**: Tests the latest stable release from npm -- **Preview Version**: Tests the latest preview release from npm - -### New Architecture (Fabric) Testing - -#### Debug Mode -```bash -# Step 1: Create new app with Fabric architecture -# For stable version: -creaternwapp.cmd /rnw latest TestAppFabricStable -# For preview version: -creaternwapp.cmd /rnw preview TestAppFabricPreview - -# Step 2: Navigate to app directory -cd TestAppFabric* - -# Step 3: Start Metro bundler -yarn start - -# Step 4: In a new terminal, build and run in debug mode -cd TestAppFabric* -yarn windows -``` - -#### Release Mode -```bash -# Using the same app created above, build in release mode -cd TestAppFabric* -yarn windows --release -``` - -## Validation Checklist - -### App Creation Validation -- [ ] App directory is created successfully -- [ ] package.json contains correct react-native-windows version -- [ ] windows directory is created with project files -- [ ] Solution (.sln) and project files are present -- [ ] Dependencies are installed correctly - -### Build Validation -- [ ] Debug build completes without errors -- [ ] Release build completes without errors -- [ ] App launches successfully -- [ ] No critical warnings in build output -- [ ] Bundle creation works (yarn start) - -### Architecture-Specific Validation - -#### Fabric (New Architecture) -- [ ] Uses modern Fabric renderer -- [ ] Supports new architecture features -- [ ] Compatible with latest React Native patterns - -## Expected Outcomes - -1. **Successful App Creation**: Both architectures should create functional React Native Windows apps for both stable and preview versions -2. **Version Consistency**: All apps should use the correct react-native-windows version (stable or preview as requested) -3. **Build Success**: Both debug and release builds should complete successfully -4. **Runtime Functionality**: Apps should launch and display the default React Native screen - -## Troubleshooting - -### Common Issues -- **Build Failures**: Check Visual Studio components and Windows SDK versions -- **Version Conflicts**: Ensure clean environment and correct package versions -- **Network Issues**: May need to configure npm/yarn registries -- **Version Mismatch**: Verify npm registry has the expected stable/preview versions available - -### Debugging Steps -1. Check creaternwapp.cmd output for errors -2. Verify package.json dependencies -3. Review build logs for specific error messages -4. Ensure all prerequisites are met -5. Verify npm registry connectivity and version availability - -## Automation Notes - -This testing can be automated in CI/CD environments using: -- Windows-based build agents -- Verdaccio for package registry testing -- MSBuild for compilation validation -- Automated deployment testing -- Npm registry queries to verify version availability - -The automated tests now include: -- **Stable Version Tests**: Automatically fetch and test the latest stable version from npm -- **Preview Version Tests**: Automatically fetch and test the latest preview version from npm -- **Version Validation**: Verify that the fetched versions exist and have correct dependencies - -## Documentation - -For additional information, see: -- React Native Windows documentation -- creaternwapp.cmd script source -- Template documentation in vnext/templates/ -- NPM package versions and tags for react-native-windows \ No newline at end of file