-
Notifications
You must be signed in to change notification settings - Fork 19.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clef: cliui mixes extraneous and approval-specific Data #17637
Comments
I made a slight change, now it looks like this:
I think that should be sufficient. We cannot remove all request data, in 99.9% of the cases, it's highly valuable information which can protect against drive-by-download types of attacks, where a webpage spuriously sends a request to the signer. By showing origin, the user would see what webpage is doing this. By showing user-agent, the user could see if it's his own browser or something else doing the requests -- assuming an attacker does not know what browser the user is using/ So overall, I think it's better to have it than to remove it. |
* signer: remove local path disclosure from extapi * signer: show more data in cli ui * rpc: make http server forward UA and Origin via Context * signer, clef/core: ui changes + display UA and Origin * signer: cliui - indicate less trust in remote headers, see #17637 * signer: prevent possibility swap KV-entries in aes_gcm storage, fixes #17635 * signer: remove ecrecover from external API * signer,clef: default reject instead of warn + valideate new passwords. fixes #17632 and #17631 * signer: check calldata length even if no ABI signature is present * signer: fix failing testcase * clef: remove account import from external api * signer: allow space in passwords, improve error messsage * signer/storage: fix typos
* signer: remove local path disclosure from extapi * signer: show more data in cli ui * rpc: make http server forward UA and Origin via Context * signer, clef/core: ui changes + display UA and Origin * signer: cliui - indicate less trust in remote headers, see ethereum/go-ethereum#17637 * signer: prevent possibility swap KV-entries in aes_gcm storage, fixes #17635 * signer: remove ecrecover from external API * signer,clef: default reject instead of warn + valideate new passwords. fixes #17632 and #17631 * signer: check calldata length even if no ABI signature is present * signer: fix failing testcase * clef: remove account import from external api * signer: allow space in passwords, improve error messsage * signer/storage: fix typos
* signer: remove local path disclosure from extapi * signer: show more data in cli ui * rpc: make http server forward UA and Origin via Context * signer, clef/core: ui changes + display UA and Origin * signer: cliui - indicate less trust in remote headers, see ethereum/go-ethereum#17637 * signer: prevent possibility swap KV-entries in aes_gcm storage, fixes #17635 * signer: remove ecrecover from external API * signer,clef: default reject instead of warn + valideate new passwords. fixes #17632 and #17631 * signer: check calldata length even if no ABI signature is present * signer: fix failing testcase * clef: remove account import from external api * signer: allow space in passwords, improve error messsage * signer/storage: fix typos
* signer: remove local path disclosure from extapi * signer: show more data in cli ui * rpc: make http server forward UA and Origin via Context * signer, clef/core: ui changes + display UA and Origin * signer: cliui - indicate less trust in remote headers, see ethereum#17637 * signer: prevent possibility swap KV-entries in aes_gcm storage, fixes ethereum#17635 * signer: remove ecrecover from external API * signer,clef: default reject instead of warn + valideate new passwords. fixes ethereum#17632 and ethereum#17631 * signer: check calldata length even if no ABI signature is present * signer: fix failing testcase * clef: remove account import from external api * signer: allow space in passwords, improve error messsage * signer/storage: fix typos
* signer: remove local path disclosure from extapi * signer: show more data in cli ui * rpc: make http server forward UA and Origin via Context * signer, clef/core: ui changes + display UA and Origin * signer: cliui - indicate less trust in remote headers, see ethereum#17637 * signer: prevent possibility swap KV-entries in aes_gcm storage, fixes ethereum#17635 * signer: remove ecrecover from external API * signer,clef: default reject instead of warn + valideate new passwords. fixes ethereum#17632 and ethereum#17631 * signer: check calldata length even if no ABI signature is present * signer: fix failing testcase * clef: remove account import from external api * signer: allow space in passwords, improve error messsage * signer/storage: fix typos
* signer: remove local path disclosure from extapi * signer: show more data in cli ui * rpc: make http server forward UA and Origin via Context * signer, clef/core: ui changes + display UA and Origin * signer: cliui - indicate less trust in remote headers, see ethereum#17637 * signer: prevent possibility swap KV-entries in aes_gcm storage, fixes ethereum#17635 * signer: remove ecrecover from external API * signer,clef: default reject instead of warn + valideate new passwords. fixes ethereum#17632 and ethereum#17631 * signer: check calldata length even if no ABI signature is present * signer: fix failing testcase * clef: remove account import from external api * signer: allow space in passwords, improve error messsage * signer/storage: fix typos
Hohono |
Ref: NCC-EF-Clef-006
When Clef receives a request through its exposed API, metadata is displayed to the user in
charge of handling it. This metadata includes a variety of fields unrelated to what is being
signed like IP address, user-agent, origin, etc. There are 6 calls to showMetadata() within
signer/core/cliui.go that drive this functionality. Some of these fields can be trivially
tampered with and might provide a false understanding as users could rely too heavily on
them instead of the important fields.
The following ‘malicious’ request (with the redacted JSON taken from Go code example com-
ments) will be accepted by Clef.
As currently presented, the metadata provides little benefit to legitimate requests but may
facilitate illegitimate requests. A naive user may consider the extraneous request data as
superseding the true warning above and mistakenly approve this transaction.
Recommendation
Do not present request metadata alongside approval-specific data without clear delineation
and warnings. Either clearly label the categories presented and warn that request data
cannot be relied upon, or simply remove all request data.
Todo: look into if we can make this even more clear than it is currently.
The text was updated successfully, but these errors were encountered: