window.ipfs.files.cp and files.mv scoping bypass #530
Labels
area/window-ipfs
Issues related to IPFS API exposed on every page
kind/bug
A bug in existing code (including security flaws)
topic/security
Work related to security
Projects
(Below A and B are reproducible with ipfs-companion v2.4.2)
Bugs related to
createSrcDestPre
hook in CompanionBug A: passing source and destination without wrapping them in array bypasses scoping
How to fix?
!Array.isArray(args[0])
)Bug B: copying from /ipfs/ is broken due to unnecessary prefixing (passing source and destination in array)
How to fix?
/ipfs/
path (validate CID, if invalid, then prefix)?Problem with tests/docs for
files.cp
andfiles.mv
I noticed we test different API calls to
files.cp
andfiles.mv
than ones in docs.Right now only array-wrapped version is being tested:
.. but we advertise unwrapped version it in the SPEC docs:
This means users probably run version that we don't have real tests for (at least that is the case for MFS exposed via window.ipfs). In most cases it does not matter, but there are edge cases such as window.ipfs where it makes a difference (see bug A vs B above)
@alanshaw I would appreciate some feedback and sanity check on how to proceed. Should we add tests to interface-ipfs-core for both versions (implies A.b), refuse non-wrapped version and change SPEC docs (A.a), or maybe I misunderstood a deeper problem entirely?
The text was updated successfully, but these errors were encountered: