Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ERTP Trusted User Inputs #4057

Closed
katelynsills opened this issue Nov 11, 2021 · 1 comment
Closed

ERTP Trusted User Inputs #4057

katelynsills opened this issue Nov 11, 2021 · 1 comment
Labels
ERTP package: ERTP

Comments

@katelynsills
Copy link
Contributor

Issue A: ERTP Trusted User Inputs

Location

agoric-sdk/packages/ERTP/src/paymentLedger.js

Line 138 in f6a87ba

payments.forEach(payment => paymentLedger.delete(payment));

Synopsis

ERTP’s internal reallocate function takes an array as input and calls Array.forEach and other standard array methods on it. However, objects passed in by the user should not be trusted. An object with the correctly named methods, but incorrect behavior, could be passed.

Impact

The reallocate function is not exposed publicly and the methods that do call it happen to copy the array. However, given access to this function, an attacker could create free money resulting in a loss of legitimate funds.

Preconditions

An attacker gains access to the reallocate function, or a method that calls reallocate uses the user-supplied payments array instead of copying it.

Technical Details

The methods that call reallocate use Promise.all on their input array. This uses the iterator interface to copy the array and resolves a new and safe array. However, if a user input were to be passed directly to reallocate and the forEach function misbehaved, it would be possible to duplicate payment objects. The reallocate function iterates over the payments and calculates the sum of their amounts. It then creates new payment objects with the same total amount, then calls forEach again to delete the original payment objects. If the payment.forEach method just did nothing on the second call, the payments would not be deleted, and they could be used to create new payment objects again. This would allow the caller to create free money. zcfSeat also assumes that forEach behaves correctly, but is called by methods that copy the array.

Suggested Remediation

We recommend importing trusted methods and passing user objects to them, instead of trusting functions on objects passed in by users. For inputs such as arrays, we suggest copying the data to new trustworthy arrays. A simple way to copy the array is to use a destructuring pattern combined with the spread operator ([...array]), which creates a new array that is a copy of the array elements.

We also recommend that the reallocate function perform this check on its payments argument because of the importance of the function.

Remediation

PR #3892 ensured that all user-provided inputs in ERTP were validated. In the case of a payment array, passStyleOf was used to ensure that the payment array was a copyArray, a valid, hardened, pass-by-copy array. Additionally, the internal reallocate function (renamed to moveAssets to distinguish it from reallocation in Zoe) also checks that the payment array is a copyArray as an additional layer of defense.
@katelynsills katelynsills added the ERTP package: ERTP label Nov 11, 2021
@katelynsills
Copy link
Contributor Author

Closed in #3892

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ERTP package: ERTP
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@katelynsills