[PM-39851] feat: Add SHA-256 integrity check for cached Fill Assist rules#2876
Draft
andrebispo5 wants to merge 1 commit into
Draft
Conversation
…ules Computes and stores a Keychain fingerprint when Fill Assist rules are cached, and verifies it whenever the cache is read. On mismatch or any inconsistent absent/present combination, clears the tampered cache and fingerprint so the normal sync flow redownloads and recreates them. Uses a sorted-keys JSONEncoder for the fingerprint so it stays deterministic regardless of Dictionary iteration order in the nested rules structure.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🎟️ Tracking
https://bitwarden.atlassian.net/browse/PM-39851
📔 Objective
Adds a SHA-256 integrity check for the Fill Assist rules cached on device. When rules are fetched and saved, a fingerprint is computed and stored in the Keychain; when the cached rules are read (during autofill or the next sync), the fingerprint is recomputed and compared. On mismatch (or on any inconsistent absent/present combination), the tampered cache and its fingerprint are cleared, and the normal sync flow redownloads and recreates the fingerprint.
Uses a sorted-keys
JSONEncoderfor fingerprint computation specifically to keep the hash deterministic regardless ofDictionaryiteration order (the cached rules contain nested dictionaries), verified by a dedicated round-trip regression test.This is not a reintroduction of the SHA-256 check removed in a prior commit — that check hashed CDN-delivered content against the CDN's own untrusted
cid(circular trust, no real security benefit). This fingerprint is computed and verified entirely on-device, to detect local tampering of the cached data (e.g. jailbreak/local-tamper), independent of CDN trust.