fix(connector-besu/quorum/xdai): unvalidated dynamic method call #1912
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
petermetz
requested review from
izuru0,
jagpreetsinghsasan and
takeutak
and removed request for
jonathan-m-hamilton
petermetz
added
Besu
dependencies
takeutak
approved these changes
Mar 14, 2022
petermetz
force-pushed
the
petermetz/issue1911
branch
from
b882c38
to
77ae436
Compare
Added checks to make sure that the Web3 Contract instances "methods" object has a property of their own called the same way the method is called by the request object. This way if someone tries to execute malicious code by providing method names that are designed to execute something other than the smart contract methods we throw back an error to them instead of complying. This is needed to fix the following CodeQL security advisories: https://github.com/hyperledger/cactus/security/code-scanning/23 https://github.com/hyperledger/cactus/security/code-scanning/24 https://github.com/hyperledger/cactus/security/code-scanning/25 https://github.com/hyperledger/cactus/security/code-scanning/26 Todo for later: create a web3-common package that can be used to house re-usable pieces of code such as the function that validates if a contract really has a certain method or not. Right now this method is copy pasted to all 3 web3 flavored connectors which is not very nice. Fixes hyperledger-cacti#1911 Signed-off-by: Peter Somogyvari <peter.somogyvari@accenture.com>
petermetz
force-pushed
the
petermetz/issue1911
branch
from
77ae436
to
f572ce8
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added checks to make sure that the Web3 Contract instances
"methods" object has a property of their own called
the same way the method is called by the request
object. This way if someone tries to execute malicious
code by providing method names that are designed to
execute something other than the smart contract methods
we throw back an error to them instead of complying.
This is needed to fix the following CodeQL security advisories:
https://github.com/hyperledger/cactus/security/code-scanning/23
https://github.com/hyperledger/cactus/security/code-scanning/24
https://github.com/hyperledger/cactus/security/code-scanning/25
https://github.com/hyperledger/cactus/security/code-scanning/26
Todo for later: create a web3-common package that can
be used to house re-usable pieces of code such as the
function that validates if a contract really has a certain
method or not. Right now this method is copy pasted
to all 3 web3 flavored connectors which is not very nice.
Fixes #1911
Signed-off-by: Peter Somogyvari peter.somogyvari@accenture.com