-
Notifications
You must be signed in to change notification settings - Fork 2.1k
[security] fix #1359, improve txData validation #2092
[security] fix #1359, improve txData validation #2092
Conversation
@luclu, thanks! @frozeman, @evertonfraga and @alexvandesande, please review this. |
@@ -36,14 +36,16 @@ module.exports = class extends BaseProcessor { | |||
try { | |||
_.each(payload.params[0], (val, key) => { | |||
// if doesn't have hex then leave | |||
if (_.isString(val)) { | |||
if (_.isString(val) || _.isNumber(val)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Won't this throw when you try to do toLowerCase()
on the number a few lines down? I mean, if val
is a number, the method does not exist.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Technically all payload should be hex. So please use a Regex /[a-f0-9]/i.test(val)
and test if it works.
@@ -36,14 +36,16 @@ module.exports = class extends BaseProcessor { | |||
try { | |||
_.each(payload.params[0], (val, key) => { | |||
// if doesn't have hex then leave | |||
if (_.isString(val)) { | |||
if (_.isString(val) || _.isNumber(val)) { | |||
|
|||
// make sure all data is lowercase and has 0x | |||
if (val) val = `0x${val.toLowerCase().replace('0x', '')}`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This isn't part of the PR, I know... but doing toLowerCase()
here removes the checksum (if any), and could be problematic later on if you want to add checksum verifications..
@@ -36,14 +36,16 @@ module.exports = class extends BaseProcessor { | |||
try { | |||
_.each(payload.params[0], (val, key) => { | |||
// if doesn't have hex then leave | |||
if (_.isString(val)) { | |||
if (_.isString(val) || _.isNumber(val)) { | |||
|
|||
// make sure all data is lowercase and has 0x | |||
if (val) val = `0x${val.toLowerCase().replace('0x', '')}`; | |||
|
|||
if (val.match(/[^0-9a-fx]/igm)) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why not be even stricter - this would allow arbitrary mix of hex-digits and x
. Why not require
- Starts with
0x
- Then must be
0-9a-fA-F
Something like /^0x[0-9a-fA-F]/
All good with the else-block which throws, I'd also have been fine with coercing into string. Just some minor comments. |
8d9ee17
to
7655cf0
Compare
Thank you Martin for the feedback, I made some changes for a stricter validation. |
7655cf0
to
def7fca
Compare
Luca, would it be possible to add a test for this attack? |
@alexvandesande in-browser-test added! |
// make sure all data is lowercase and has 0x | ||
if (val) val = `0x${val.toLowerCase().replace('0x', '')}`; | ||
if (val) val = `0x${val.toLowerCase().replace(/^0x/igm, '')}`; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in this context, the g
and m
flags seems to be redundant. As the regexp starts with ^
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good point!
|
||
count++; | ||
count += count; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you double count at each round?
* updated solc again * updated solc to 0.4.6 * Update geth to 1.5.5 (#1520) * Update geth to 1.5.5 * corrected windows zip's internal paths * changed sanity check * made node starting better * also log path from which to fetch * show fetching origin URL * fix ESLint errors * removed -stable * fixes the immediate startup issue (#1540) * fixes #1532 (#1534) * [ESLint] autofix 'modules' (#1536) * [ESLint] update customProtocols.js (#1538) * added postinstall step for interface dir (#1546) * [ESLint] update 'scripts' (#1539) * [ESLint] update 'scripts' * add comments to .eslintrc * update paths * update comments * Adding badges for (up|out)dated dependencies (#1525) * Changes to splash screen and onboarding (#1545) * change fast to light * light client * remove '--cache' flag * remove cache * text changes` * changes to onboarding screen * changes to onboarding * ropstein in eth * experimental label` * checking network label position * Theres no I in Ropsten * changes algotithm for displaying * allows app to be ready if no sync is happening * bring changes to splash screen * remove changes from ethereumNode * remove changes from menuItems * speed changes * clean up and add comments * fixes onboarding shapeshift window loading * simplify code * add comments * shows ready to launch when there are less than a 100 blocks * Error pages (#1559) * added not found and crash error page * add source sans * [readme] minor typo * [mistAPI] add 'mist.solidity.version' (#1586) * add 'mist.solidity.version' to mistAPI * Adding tests for in Mist API * fixes (#1600) * add hash and queries to breadcrumb (#1596) * fix offline-startup edge-case (#1571) * NSIS installer (#1499) * Update travis config to new format * fixes * install gulp * fixes * tweaks * use same install & script tasks for all builds * Expand build matrix * tweaks * fixes * try to fix wine installation * Enable mac build * Extend run time to 30 minutes * see if extra dependencies resolves build issue for linwin * Install yarn with npm on osx * linux and windows in one * Add gulp to Mac * Bump timeout to 60 minutes * remove download-signatures from processing / travis tweaks * cleanup * enable gitter notifications * fix bash double ampersand * try to build nsis script * fix nsis verbosity flag * Customized NSIS installer * Fix order of commands * Improve uninstaller * Add logic and movefile plugins * Enable separate DATADIR location * Remove INSTDIR and replace with FILEDIR * Fix compiler warnings about unknown variables * Enforce UAC admin requirement * Move NSI to scripts directory and add plugins * Include version in output filename * Remove duplicate execution level command * Move files from nested folder into main folder * Update shortcut names and params * initial architecture detection + various cleanup * More flexible environment vars * Cleanup * User-selectable location for Mist's data files * Include icon in installation directory * Cleanup * Improve/fix registry entries * Show shortcuts after successful installation * Estimate installation size * Fix removal of start menu shortcuts * Open DATADIR and NODEDATADIR on uninstallation * Handle firewall rules * Disable firewall updates * Include multiple architectures into single installer * Don't allow user to select Mist data directory * Integrate NSIS build into Gulp * Cleanup lint suggestions * Cleanup more lint suggestions * One more linter fix * Remove testnet startmenu entry * Double the estimated installed size * Create desktop shortcut * Delete temporary zips * Store user settings in HKCU for uninstallation * Remove user registry settings on uninstallation * Improved uninstallation to not rely on stack variables * Compute actual program directory size * Cleanup * [travis] various fixes (#1601) * various fixes * disable code-signing on 'develop' * fix yarn on xcode8 image * rectify if statement * comments * improvement * Adjust formatter for addPeer #1543 (#1599) * recreate PR * add fixes * fix [null] * [gulp] new task 'upload-binaries' (to github) (#1578) * add gulp-task 'upload-binaries' * fix ESLint errors * improvements and fixes * switch URLs to ethereum/mist repo * also build wallet if on master branch * make sure all sendTransaction is valid HEX (#1606) * Adding a develop menu option to open Remix IDE (#1608) * Adding browser solidity menu item * Adding i18n keys for Remix menu item * Moving Remix menu option UP * Opening Remix on a separated popup * Changing display name * minor refactor * reverting travis change * Update app.nl.i18n.json (#1609) Dutch translation * adjust content order, feather and window size (#1585) * fix mention-bot (#1587) * Improve importer (#1598) * rename 'presaleFile' IPC actions to generic 'walletFile' * update the import-screen depending on wallet type * leverage ethereum-keyfile-recognizer * update yarn.lock * fix merge relic * [ESLint] * polish * update dependency and fix ESLint * improvements * update menu-label * Dutch translation improved (#1610) * Update mist.nl.i18n.json Dutch translations * Corrected proposed changes for Dutch translations. Capital "E"ther and changed from formal to informal throughout the file. * change window height (#1612) * Allow for operators while parsing 'mist.solidity.version' (#1613) * Allow for operators while parsing 'mist.solidity.version' * minor improvement in regex * Sync Dutch translation file to English + corrections (#1616) * Sync Dutch translations to English + corrections Mostly rearranged the lines to get equal to the English translation file for easier future maintenance. Also did some small spelling corrections and improved a few translations when I matched the Dutch and English files. * Fixed JSON syntax Fixed JSON syntax * Processed suggestions, many thanks! * update i18n files according to english base files (#1618) * [travis] don't wait for mac build on PR check (#1611) * 36 * 37 * [gulp] don't build NSIS installer on 'wallet' task (#1614) * don't build NSIS installer in 'wallet' task * [readme] add 'makensis' to brew install * Bump version string to 0.8.9 (#1626) * Spectron testing suite (#1553) * Spectron iteration * Updating spectron * Creating switch for mist.lokidb for automated tests * Adding chai-as-expected * Changing IPC flag * Pairing spectron and electron versions * [ESLint] Minor fixes * Adding chai-string * Couple of tests passing * update .eslintrc.yml * Simplifying code * Removing delay in favor of better window management * Adding tests for URL bar * Focusing window before each test * Minor fixes * Improving mist setup and teardown * Fixing wallet test * adding html fixture * Improving test helpers * Tests for ETH-01-002 * Updating tests * Starting local HTTP server to deal with html fixtures * Updating tests setup * Adding more tests * Updating travis file to run spectron tests * Refactoring tests * Tests for ETH-01-007 * Downloading geth on the fly * Fine-tuning geth download during tests * Changing linux binary dir * Fixing binary path on linux * Travis debug * Travis debug * Changing fixtures * Fixing tests * Fixing travis file * More tests * Adjusting timeouts * Adjusting GULP_PLATFORM test env variable * Adjusting timeouts * Disabling some tests for now * Disabling a test * Fix raw data display ('0x') in data-less TXs (#1625) * Update dependencies (#1623) * Update dependencies * Updating yarn lock * udpate (#1622) * Cleaner mocha-in-browser test results (#1630) * Removing DavidDM broken badges (#1631) * Update geth to 1.5.5 (#1520) (#1522) (#1633) * updated solc again * updated solc to 0.4.6 * Update geth to 1.5.5 (#1520) * Update geth to 1.5.5 * corrected windows zip's internal paths * changed sanity check * made node starting better * also log path from which to fetch * show fetching origin URL * fix ESLint errors * removed -stable * Update geth to 1.5.8 (#1635) * Update geth (osx still missing) * include mac * Add gulp task 'update-nodes' (#1637) * sync was being skipped (#1647) * sync was being skipped * sync was being skipped * updates confirmation window size issue (#1665) * updates confirmation window size issue * updated to web3.js 0.18.2, please run yarn * improved gas estimation errors * add error check only when estimatedGas is lower than providedGas * Main window position and size are now persisted through sessions (#1641) * update to geth 1.4.9 (#1662) * Last days of dechunker (#1680) * removed dechunker * added legacyWeb3Provider * added comment * warn on websocket connection * added old full web3 for legacy reasons * perm-tests: add 'bzz' to 'should only contain allowed attributes' test (#1737) * switch to camelCase for var 'lang_code' (#1736) * [ESLint] exclude auto-generated 'signatures.js' (#1752) * meteor interface: add ES6 support (#1738) * Fix #1701 (#1750) * enable translations on splash screen (#1749) * [ESLint] fix simple rule violations in 'interface' (#1751) * fix rule "intend" * fix rule "no-trailing-spaces" * fix rule "eol-last" (new line at end of file) * fix rule "keyword-spacing" * fix rule "space-before-blocks" * fix rule "space-infix-ops" (space before and after operators) * fix rule "space-before-function-paren" * fix rule "object-curly-spacing" * fix rule "no-multi-spaces" * fix rule "curly" * fix rule "no-multiple-empty-lines" * fix rule "quotes" * fix rule "semi-spacing" * fix rule "semi" * fix rule "key-spacing" * fix rule "space-in-parens" * fix rule "spaced-comment" * fix rule "comma-spacing" * fix rule "no-lonely-if" * fix rule "eqeqeq" * show backup hint when createing accounts, demanding min 8 characters (#1775) * show backup hint when createing accounts, demanding min 8 characters * fix typo * [readme] update dependencies paragraph (#1784) * [i18n] partial update to German translation (#1753) * [i18n] partial update to German translation * update * Improve console messages (#2067) * [i18n] add missing meteor package 'numeral:languages' (#1783) * [i18n] add missing meteor package 'numeral:languages' * add better error message * More spectron ETH-01 tests. (#1689) * Spectron iteration * Updating spectron * Creating switch for mist.lokidb for automated tests * Adding chai-as-expected * Changing IPC flag * Pairing spectron and electron versions * [ESLint] Minor fixes * Adding chai-string * Couple of tests passing * update .eslintrc.yml * Simplifying code * Removing delay in favor of better window management * Adding tests for URL bar * Focusing window before each test * Minor fixes * Improving mist setup and teardown * Fixing wallet test * adding html fixture * Improving test helpers * Tests for ETH-01-002 * Updating tests * Starting local HTTP server to deal with html fixtures * Updating tests setup * Adding more tests * Updating travis file to run spectron tests * Refactoring tests * Tests for ETH-01-007 * Downloading geth on the fly * Fine-tuning geth download during tests * Changing linux binary dir * Fixing binary path on linux * Travis debug * Travis debug * Changing fixtures * Fixing tests * Fixing travis file * More tests * Adjusting timeouts * Adjusting GULP_PLATFORM test env variable * Adjusting timeouts * Disabling some tests for now * Disabling a test * updating yarn * Tests for ETH-01-009 * More tests * Adding test for ETH-01-008 * simplify '--test' flag evaluation * revert unnecessary changes to yarn.lock (no changes to package.json) * Minor comment changes * consistent use of 'protocol' in test titles * Update js-redirect.html * [gulp] Refactor and Ethereum-Wallet NSIS installer (#1642) * Add Ethereum-Wallet NSIS installer * minor changes * improve makensis call * Improve Uploader * Refactor * refactor * remove eth node * remove build-dist.js * added 'options.platforms' and 'options.activePlatforms' * remove squirrel * fix * cleanup * string formating, windows compatibility * md5 checksum platform compatibiliy * cleanup Linter errors * update travis.yml * minor fix * improve platform usage hint (don't show 'mac' on non macOS systems) * Rectifying documentation * update Readme * typo in readme * add clarification on available platforms on the host platform * remove unnessecary linux dep * cleanup patch string * increase timeout (#2129) * Sidebar revamp (#1640) * Sidebar changes * Basic tab visual changes * Scrolling tabs * Menu iteration * Improvements on floating menu * Menu improvements * Inflection translation for account button * Adjusting menu animations and hover (dis)appear timings * Identicon area height * Cleanup * Improvements on menu position and, padding and dealing with information overflow * browserbar z-index * Sidebar scrolling on submenu overflow * Fixed some visual glitches * Enabling drag and drop of new tabs * Fixing submenu position * Refactoring * Opening the right account window for dapp menu entries * Minor opacity change * Scrollbars on windows * White scrollbars on submenu * Fixing sidebar css on windows * Code style * Dealing with large numbers with german separators * Prevents dragging Dapps to 1st position (browser) * Ensuring browse will always be the first tab * Preventing drag dapps above browse tab * Minor adjustments * Small refactor and code cleaning * Dependencies update * Fixing add permissions to browse tab behavior * Cursor change * Code Style * Small refactor * Code style * remove duplicate makensis step (#2073) * remove rules (#2091) * [travis] only increase timeout for mac build (#2096) * [travis] only increase timeout for mac build * fix * Make capitalization more consistent in menus. Correct punctuation. (#2123) * fix (#2124) * fix #1649 (add lokijs save-throttling) (#2125) * [yarn] update dev node modules (#2128) * remove debug loglevel (#2137) * Removing old code. Fixes small bug (#2140) * update npm-modules (#2126) * [security] fix #1359, improve txData validation (#2092) * fix #1359 * stricter validation * add test case "shouldn't allow RegExp (possible XSS)" * shorten test-case * remove unnecessary regex flags * improve error msg * update geth 1.6.0 (#2146) * update geth 1.6.0 * [tests] geth 1.6.0 compatibility * [meta] remove .mention-bot (#2094) * Version bump (#2161)
This thread has been automatically locked because it has not had recent activity. Please open a new issue for related bugs and link to relevant comments in this thread. |
fix #1359