diff --git a/.iyarc b/.iyarc index dcff19fe16..e69de29bb2 100644 --- a/.iyarc +++ b/.iyarc @@ -1 +0,0 @@ -GHSA-3gc7-fjrx-p6mg diff --git a/modules/sdk-coin-sol/src/bigint-buffer-guard.ts b/modules/sdk-coin-sol/src/bigint-buffer-guard.ts new file mode 100644 index 0000000000..800663fd93 --- /dev/null +++ b/modules/sdk-coin-sol/src/bigint-buffer-guard.ts @@ -0,0 +1,31 @@ +// Added a lightweight runtime guard for BigInt<->Buffer conversions in @bitgo/sdk-coin-sol (bigint-buffer-guard.ts) to validate input lengths and reduce misuse risk. +// It's purpose is to enforce input type/length checks around BigInt buffer operations; imported it so validations run at module load + +try { + const mod = require('bigint-buffer'); + const le = typeof mod.toBigIntLE === 'function' ? mod.toBigIntLE : undefined; + const be = typeof mod.toBigIntBE === 'function' ? mod.toBigIntBE : undefined; + + const isBufferLike = (b: unknown) => (typeof Buffer !== 'undefined' && Buffer.isBuffer(b)) || b instanceof Uint8Array; + + const byteLen = (b: any) => + typeof Buffer !== 'undefined' && Buffer.isBuffer(b) ? b.length : (b as Uint8Array).byteLength; + + const assertBuf = (b: unknown) => { + if (!isBufferLike(b)) throw new TypeError('toBigInt*: input must be Buffer/Uint8Array'); + if (byteLen(b as any) > 1_000_000) throw new RangeError('toBigInt*: buffer too large'); + }; + + if (le) + mod.toBigIntLE = (buf: Buffer | Uint8Array) => { + assertBuf(buf); + return le(buf); + }; + if (be) + mod.toBigIntBE = (buf: Buffer | Uint8Array) => { + assertBuf(buf); + return be(buf); + }; +} catch { + /* noop */ +} diff --git a/modules/sdk-coin-sol/src/index.ts b/modules/sdk-coin-sol/src/index.ts index 2b08368e1d..2b9d812ca4 100644 --- a/modules/sdk-coin-sol/src/index.ts +++ b/modules/sdk-coin-sol/src/index.ts @@ -1,3 +1,4 @@ +import './bigint-buffer-guard'; export * from './lib'; export * from './sol'; export * from './solToken'; diff --git a/package.json b/package.json index f7eeca1762..07d365feca 100644 --- a/package.json +++ b/package.json @@ -99,6 +99,7 @@ "**/swarm-js/**/ws": "5.2.4", "serialize-javascript": "^6.0.2", "@grpc/grpc-js": "^1.12.6", + "bigint-buffer": "npm:@trufflesuite/bigint-buffer@1.1.10", "request": "npm:@cypress/request@3.0.9", "**/avalanche/store2": "2.14.4" }, @@ -140,7 +141,8 @@ "dependencies": { "axios": "^1.12.0", "terser": "^5.14.2", - "tmp": "^0.2.3" + "tmp": "^0.2.3", + "bigint-buffer": "npm:@trufflesuite/bigint-buffer@1.1.10" }, "packageManager": "yarn@1.22.22" } diff --git a/yarn.lock b/yarn.lock index 9f03248a44..c98e38f27f 100644 --- a/yarn.lock +++ b/yarn.lock @@ -7675,12 +7675,12 @@ bigi@1.4.2, bigi@^1.1.0, bigi@^1.4.2: resolved "https://registry.npmjs.org/bigi/-/bigi-1.4.2.tgz" integrity sha512-ddkU+dFIuEIW8lE7ZwdIAf2UPoM90eaprg5m3YXAVVTmKlqV/9BX4A2M8BOK2yOq6/VgZFVhK6QAxJebhlbhzw== -bigint-buffer@^1.1.5: - version "1.1.5" - resolved "https://registry.npmjs.org/bigint-buffer/-/bigint-buffer-1.1.5.tgz" - integrity sha512-trfYco6AoZ+rKhKnxA0hgX0HAbVP/s808/EuDSe2JDzUnCp/xAsli35Orvk67UrTEcwuxZqYZDmfA2RXJgxVvA== +bigint-buffer@^1.1.5, "bigint-buffer@npm:@trufflesuite/bigint-buffer@1.1.10": + version "1.1.10" + resolved "https://registry.npmjs.org/@trufflesuite/bigint-buffer/-/bigint-buffer-1.1.10.tgz#a1d9ca22d3cad1a138b78baaf15543637a3e1692" + integrity sha512-pYIQC5EcMmID74t26GCC67946mgTJFiLXOT/BYozgrd4UEY2JHEGLhWi9cMiQCt5BSqFEvKkCHNnoj82SRjiEw== dependencies: - bindings "^1.3.0" + node-gyp-build "4.4.0" bigint-crypto-utils@3.1.4: version "3.1.4" @@ -7736,13 +7736,6 @@ binaryextensions@^4.16.0: resolved "https://registry.npmjs.org/binaryextensions/-/binaryextensions-4.19.0.tgz" integrity sha512-DRxnVbOi/1OgA5pA9EDiRT8gvVYeqfuN7TmPfLyt6cyho3KbHCi3EtDQf39TTmGDrR5dZ9CspdXhPkL/j/WGbg== -bindings@^1.3.0: - version "1.5.0" - resolved "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz" - integrity sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ== - dependencies: - file-uri-to-path "1.0.0" - bip174@=2.1.1, bip174@^2.1.1: version "2.1.1" resolved "https://registry.npmjs.org/bip174/-/bip174-2.1.1.tgz" @@ -11618,11 +11611,6 @@ file-loader@^6.2.0: loader-utils "^2.0.0" schema-utils "^3.0.0" -file-uri-to-path@1.0.0: - version "1.0.0" - resolved "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz" - integrity sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw== - filelist@^1.0.4: version "1.0.4" resolved "https://registry.npmjs.org/filelist/-/filelist-1.0.4.tgz" @@ -15644,6 +15632,11 @@ node-gyp-build-optional-packages@5.1.1: dependencies: detect-libc "^2.0.1" +node-gyp-build@4.4.0: + version "4.4.0" + resolved "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-4.4.0.tgz#42e99687ce87ddeaf3a10b99dc06abc11021f3f4" + integrity sha512-amJnQCcgtRVw9SvoebO3BKGESClrfXGCUTX9hSn1OuGQTQBOZmVd0Z0OlecpuRksKvbsUqALE8jls/ErClAPuQ== + node-gyp-build@^4.2.0, node-gyp-build@^4.3.0: version "4.8.4" resolved "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-4.8.4.tgz"