Enable security rules (#73)

## Summary We want to make progress on passing BinSkim for SDL / security best practices. Note: after these changes there are still 3 warnings disabled (4146, 4244 and 4267) that may require additional follow-up.
2022-02-10 11:25:19 -08:00 · 2022-02-10 11:25:19 -08:00 · bcda87c617
--- a/.ado/scripts/cibuild.ps1
+++ b/.ado/scripts/cibuild.ps1
@ -86,6 +86,9 @@ function Get-VCVarsParam($plat = "x64", $arch = "win32") {
        $args_ = "$args_ $SDKVersion"
    }

+    # Spectre mitigations (for SDL)
+    $args_ = "$args_ -vcvars_spectre_libs=spectre"
+
    return $args_
 }

--- a/.gitignore
+++ b/.gitignore
@ -18,6 +18,7 @@ buck-out

 # Win
 workspace
+build.log

 # CocoaPods testing
 build
--- a/API/hermes/CMakeLists.txt
+++ b/API/hermes/CMakeLists.txt
@ -83,9 +83,13 @@ if("${CMAKE_CXX_COMPILER_ID}" MATCHES "MSVC")
  if("{CMAKE_BUILD_TYPE}" MATCHES "Debug")
    set(link_flags "${link_flags} /DEBUG")
  else()
-    set(link_flags "${link_flags} /DEBUG /OPT:REF /OPT:ICF")
-  endif()
+    set(link_flags "${link_flags} /DEBUG /DEBUGTYPE:CV,FIXUP /OPT:REF /OPT:ICF")

+    if("${MSVC_C_ARCHITECTURE_ID}" MATCHES "^(X64|X86)$")
+      # CETCOMPAT is not supported by ARM or ARM64
+      set(link_flags "${link_flags} /CETCOMPAT")
+    endif()
+  endif()
 endif()

 set_target_properties(libhermes PROPERTIES
--- a/API/jsi/jsi/CMakeLists.txt
+++ b/API/jsi/jsi/CMakeLists.txt
@ -20,10 +20,14 @@ elseif ("${CMAKE_CXX_COMPILER_ID}" MATCHES "MSVC")
  # Turn on Error Handling in MSVC, otherwise objects are not destructed
  # when they go out of scope due to exceptions.
  list(APPEND jsi_compile_flags "/EHsc")
+  list(APPEND jsi_compile_flags "/Zi")
+  list(APPEND jsi_compile_flags "/Qspectre")
+  list(APPEND jsi_compile_flags "/sdl")
 endif()
 if (HERMES_ENABLE_BITCODE)
  list(APPEND jsi_compile_flags "-fembed-bitcode")
 endif ()
+
 target_compile_options(jsi PRIVATE ${jsi_compile_flags})

 install(DIRECTORY "${PROJECT_SOURCE_DIR}/API/jsi/" DESTINATION include
--- a/cmake/modules/Hermes.cmake
+++ b/cmake/modules/Hermes.cmake
@ -277,9 +277,11 @@ if (MSVC)
  )

  # Security flags.
-  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /DYNAMICBASE /guard:cf")
-  set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} /DYNAMICBASE /guard:cf")
-  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /guard:cf")
+  # Note: Security warnings need to be fixed / baselined to be sdl clean - 4146, 4244 and 4267 (currently disabled)
+  set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS} /DYNAMICBASE /guard:cf /Qspectre")
+  set(CMAKE_SHARED_LINKER_FLAGS "${CMAKE_SHARED_LINKER_FLAGS} /DYNAMICBASE /guard:cf /Qspectre")
+  set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} /guard:cf /Qspectre /sdl /ZH:SHA_256")
+  set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /guard:cf /Qspectre /sdl /ZH:SHA_256")

  # Tell MSVC to use the Unicode version of the Win32 APIs instead of ANSI.
  #    add_definitions(
--- a/external/dtoa/CMakeLists.txt
+++ b/external/dtoa/CMakeLists.txt
@ -8,6 +8,9 @@ if ("${CMAKE_CXX_COMPILER_ID}" MATCHES "Clang" OR
        set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wall")
        set(CMAKE_C_FLAGS
                "${CMAKE_C_FLAGS} -Wno-parentheses -Wno-unused-label -Wno-sign-compare -Wno-implicit-fallthrough")
+elseif ("${CMAKE_CXX_COMPILER_ID}" MATCHES "MSVC")
+    # hermes_update_compile_flags sets these for CPP files only
+    set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} /Zi")
 endif()

 add_hermes_library(dtoa STATIC
--- a/npm/package.json
+++ b/npm/package.json
@ -1,5 +1,5 @@
 {
-  "version": "0.11.0-ms.1",
+  "version": "0.11.0-ms.2",
  "scripts": {
    "unpack-builds": "node unpack-builds.js",
    "unpack-builds-dev": "node unpack-builds.js --dev",