Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: #666: mnemonic improvements #832

Merged
merged 4 commits into from
Apr 30, 2024
Merged

refactor: #666: mnemonic improvements #832

merged 4 commits into from
Apr 30, 2024

Conversation

lucanicoladebiasi
Copy link
Contributor

@lucanicoladebiasi lucanicoladebiasi commented Apr 29, 2024
edited
Loading

Description

The code at

  • packages/core/src/hdnode/hdnode.ts
  • packages/core/src/mnemonic/mnemonic.ts

use mnemonic words and private keys as functions' parameters. In case of exception mnemonic words could be leaked by called methods of internal libraries BIP-32 and BIP-39, albeit in the actual release of these libraries shadow sensitive data.

The proposed code assures no sensitive data such as mnemonic words or private keys are leaked because error thrown.

The code at

  • packages/errors/src/utils/assert/assert.ts
  • packages/errors/src/utils/error-builder/error-builder.ts
  • packages/errors/src/utils/error-builder/provider-error-builder.ts
  • packages/errors/src/utils/error-message-builder/error-message-builder.ts

remarks in documentation of the functions, sensitive data must not be passed as parameters.

In packages/core/tests/hdnode/hdnode.unit.test.ts the test 'fromMnemonic - invalid - word list leak check' assures no mnemonic words is part of the error.

Type of change

Please delete options that are not relevant.

  • Bug fix (non-breaking change which fixes an issue): no sensitive data leak.
  • This change introduces new code documentation relevant to keep the code secure.

How Has This Been Tested?

Please describe the tests that you ran to verify your changes. Provide instructions so we can reproduce. Please also list any relevant details for your test configuration

  • yarn test:solo
  • yarn test:unit

Test Configuration:

  • Node.js Version: v21.6.2
  • Yarn Version: v1.22.22

Checklist:

  • My code follows the coding standards of this project
  • I have performed a self-review of my code
  • I have commented on my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • My changes generate no new warnings
  • I have added tests that prove my fix is effective or that my feature works
  • New and existing unit tests pass locally with my changes
  • New and existing integration tests pass locally with my changes
  • Any dependent changes have been merged and published in downstream modules
  • I have not added any vulnerable dependencies to my code

@lucanicoladebiasi lucanicoladebiasi self-assigned this Apr 29, 2024
@lucanicoladebiasi lucanicoladebiasi requested a review from a team as a code owner April 29, 2024 14:34
@github-actions GitHub Actions
Copy link

github-actions bot commented Apr 29, 2024
edited
Loading

Test Coverage

Summary

Lines Statements Branches Functions
Coverage: 99%
 99.96% (3091/3092) 100% (651/651) 100% (642/642)
Title Tests Skipped Failures Errors Time
core 463 0 💤 0 ❌ 0 🔥 1m 3s ⏱️
network 586 0 💤 0 ❌ 0 🔥 3m 24s ⏱️
errors 48 0 💤 0 ❌ 0 🔥 14.081s ⏱️

@darrenvechain darrenvechain changed the title refactor: #666: mnemonic leak fix refactor: #666: mnemonic improvements Apr 30, 2024
@rodolfopietro97 rodolfopietro97 merged commit 4e62584 into main Apr 30, 2024
12 checks passed
@rodolfopietro97 rodolfopietro97 deleted the 666-mnemonic-leak-fix branch April 30, 2024 08:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rodolfopietro97 rodolfopietro97 rodolfopietro97 approved these changes

Assignees

@lucanicoladebiasi lucanicoladebiasi

Labels
Size: Small Type: Enhancement Type: Testing
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lucanicoladebiasi @rodolfopietro97 @darrenvechain