Red Titanium Code Obfuscation warning -- I'm confused by it

[Ajay Goel]

Hi there,

I have a long-standing extension in the Chrome Store with ID ehomdgjhgmbidokdgicgmdiedadncbgf. A few days ago I received a Red Titanium Code Obfuscation warning. The warning cited this:

• Violation reference ID: Red Titanium
• Violation: Having obfuscated code in the package.
• Violating content:
  • Code snippet: gmassloader.js: var scriptstoget = ['https://' + loaderDomainCDN + '/ext2022/gmasssdk.js'
• How to rectify: Replace the obfuscated code with human-readable code and resubmit the item.

I assumed that the warning was related to the obfuscation in the remotely loaded script gmasssdk.js. That script did have some minor obfuscation -- hex variables instead of human-readable variable names. So I UN-obfuscated that, and re-submitted, but the submission was rejected for the same reason.

Note that I'm still on Manifest V2, so I still have remotely loaded scripts.

Can anyone provide any insight as to why my submission after UN-obfuscating gmasssdk.js was rejected? Could it be that THIS actual line is considered obfuscated:

var scriptstoget = 'https://' + loaderDomainCDN + '/ext2022/gmasssdk.js'

loaderDomainCDN is just a variable representing the host that the script is retrieved from. The reason it's a variable is because different endpoints are tried until the script is successfully retrieved, since some networks block certain domains.

Thanks,

Ajay Goel

[Deco]

Yes that's correct, the tldr is that since the variable is obfuscated, it doesn't provide it's intention clearly as such falls foul of this rule.

Cheers,

Deco

--
You received this message because you are subscribed to the Google Groups "Chromium Extensions" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-extens...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/9317ad59-c9b0-4af2-a33c-fdeace6828b4n%40chromium.org.

[Ajay Goel]

That's shocking to me. Does that then mean that you're not allowed to set the value of any variable by concatenating strings with other variables? Doesn't that severely limit what you can do in JavaScript?

So what's the solution? How do I make that line compliant, without having to hard-code the value of loaderDomainCDN?

[Stryder Crown]

It sounds like a naive attempt to implement a constraint on malicious domains by preventing urls from being constructed dynamically. In this particular case, you might be better suited by creating a (hardcoded) map/array of all your valid domains and cycling through that instead of concat'ing them.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/64e8ff88-b20e-4ca8-80d1-fb203debe24fn%40chromium.org.

[Patrick Kettner]

Speaking as someone on the Extensions team at Chrome...

If that was the only snippet listed as the violation, it sounds like a mistake of overzealous review. I would recommend opening an appeal via One Stop Support (https://support.google.com/chrome_webstore/contact/one_stop_support) 

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CADq%3D7qsJf5rU5gXk7YM315fg8gP93FcEMmytX%2BrNUsrxs4V-SQ%40mail.gmail.com.

[Ajay Goel]

Stryder:

That's exactly what I am doing (hard coded array of valid domains and cycling through). This is at the top of the code:

const arrayCDN = ["cdn.gmass.us", "cdn.apigma3.net", "cdn.gmass.co", "www.gmass.co", "ext.gmass.us", "cdn.gmapi1.net", "cdn.wordzen.com"];

And then the loop tries each endpoint until one succeeds.

Anyway, thanks for the insight. I could replace that line where the URL is dynamically constructed and just have a bunch of IF conditions with fixed URLs. Will probably try that.

ajay

[Ajay Goel]

Thanks Patrick. I actually did just that, this morning. So we'll see what happens.

[Patrick Kettner]

Can you share the ticket number?

[Ajay Goel]

Yes! It's:

6-9077000034747

[Stryder Crown]

I was suggesting storing the full url, i.e. code below. But if someone can hand approve it (or indeed, didn't grok the original code) then no worries.

```

const arrayCDN = [
    "https://cdn.gmass.us/ext2022/gmasssdk.js",
    "https://cdn.apigma3.net/ext2022/gmasssdk.js",
    "https://cdn.gmass.co/ext2022/gmasssdk.js",
    "https://www.gmass.co/ext2022/gmasssdk.js",
    "https://ext.gmass.us/ext2022/gmasssdk.js",
    "https://cdn.gmapi1.net/ext2022/gmasssdk.js",
    "https://cdn.wordzen.com/ext2022/gmasssdk.js"
];

```

[Ajay Goel]

Ah, gotcha, makes sense. I will resort to that if my other avenues to remedy this situation fail. Thank you!

[Ajay Goel]

For anyone still interested, and to help out others that find themselves in this position in the future, I finally got this resolved, but it took multiple back-and-forths with the developer support team.

Here's the full conversation minus the initial message I sent through the web-based support form:
https://dl.dropbox.com/scl/fi/8uouv3rug753qyll8a9mu/chrome_YL4nIGfZM8.png?rlkey=41jjckhbky1hvtc4q8l6l6a9j&dl=0

[Stryder Crown]

Am I reading this thread correctly?  They flagged your extension, then acknowledged it was entirely compliant and then said there was nothing they could do and made you re-submit the extension in its entirety?  Is that because the previous version was flagged?  If the parser that flagged this is clearly tagging false positives, is that being corrected/addressed or is this something we should all anticipate having to address in our submissions?

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/6b0d2534-d253-4b39-8613-15573ac1c462n%40chromium.org.

[Oliver Dunk]

Hi Stryder,

We aren't easily able to change the verdict on a specific submission, so sometimes the review team will ask for you to repeat your submission so we can more easily approve it. I would expect that to be a much faster review though since the extension has already been looked at.

We have a mix of automated and manual review and I can't say what specifically happened here. But we do keep an eye on appeals and if we notice trends, we'll work to see if we can make any changes to help.

Oliver Dunk | DevRel, Chrome Extensions | https://developer.chrome.com/ | London, GB

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-extensions/CADq%3D7qu2LKagO75tEHL3dnpN%2BChGQyBEXcbydWaojwDxPs8hKQ%40mail.gmail.com.