fix(wallets): prevent path traversal in wallet_file_path and update file extension#2400
fix(wallets): prevent path traversal in wallet_file_path and update file extension#2400
wallet_file_path and update file extension#2400Conversation
There was a problem hiding this comment.
Is it intended to disallow wallet names with spaces in them? Current docs example at https://komodoplatform.com/en/docs/komodo-defi-framework/setup/configure-mm2-json/#example-with-wallet-name-and-wallet-password does not conform.
Tested otherwise and encountered expected errors where special chars where used. Wallet file saved to expected location with json extension, launches as expected with correct wallet_password, and fails to launch if wallet_password deviates from its initial setting.
Incidentally, wallet_password accepted weakpass without issue. Shouldn't we enforce the same password requirements as we do for RPC password?
I will allow spaces again. |
|
@smk762 Allowed spaces in wallet name, leading or trailing spaces are trimmed as well. |
I meant for this to let GUI handle it, but just found we have |
Confirming this is functioning as expected, and resultant wallet file trims pre/post spaces. |
Should I open a separate issue for this? It's currently the only aspect of this PR blocking approval. |
This should be fixed now @smk762 . Password policy will be enforced if
|
|
Thanks! On launch, creating a wallet with existing seed:
On launch, creating wallet with new seed:
On
Other
LGTM! |
mariocynicys
left a comment
mariocynicys
left a comment
There was a problem hiding this comment.
Thanks!
looks good. only a couple of nits and questions.
mm2src/mm2_main/src/lp_wallet.rs
Outdated
| let is_weak_password_accepted = ctx.conf["allow_weak_password"].as_bool() == Some(true); | ||
| if !is_weak_password_accepted { |
There was a problem hiding this comment.
looks off, what about ctx.conf["allow_weak_password"].as_bool().unwrap_or(false)
There was a problem hiding this comment.
I just used what was used elsewhere for RPC password, but your suggestion works. Will fix it.
| if wallet_password.is_empty() { | ||
| return MmError::err(WalletInitError::PasswordPolicyViolation( | ||
| "`wallet_password` cannot be empty".to_string(), | ||
| )); | ||
| } |
There was a problem hiding this comment.
nit: we can allow empty pass and have such check in the password_policy checker (i.e. when weak passes are disabled).
There was a problem hiding this comment.
again, following same standards as rpc password ref. https://github.com/KomodoPlatform/komodo-defi-framework/blob/60302fc6da783d65da02485a40d7fa50a79bdab5/mm2src/mm2_main/src/mm2.rs#L143-L145
I will leave the empty check as if it were removed it would allow no password not a weak password.
mm2src/mm2_core/src/mm_ctx.rs
Outdated
|
|
||
| if !wallet_name_trimmed | ||
| .chars() | ||
| .all(|c| c.is_alphanumeric() || c == '-' || c == '_' || c == ' ') |
There was a problem hiding this comment.
nit: ['-', '_', ' '].contains(c)
There was a problem hiding this comment.
My approach is actually more memory efficient :)
mm2src/mm2_core/src/mm_ctx.rs
Outdated
| #[cfg(not(target_arch = "wasm32"))] | ||
| pub fn wallet_file_path(&self, wallet_name: &str) -> PathBuf { | ||
| self.db_root().join(wallet_name.to_string() + ".dat") | ||
| pub fn wallet_file_path(&self, wallet_name: &str) -> Result<PathBuf, String> { | ||
| let wallet_name_trimmed = wallet_name.trim(); |
There was a problem hiding this comment.
nit: this method feels too specific to be included in mm_ctx.rs. it's used solely in mnemonic_storage.rs and i think should be define there.
mm2src/mm2_core/src/mm_ctx.rs
Outdated
|
|
||
| if !wallet_name_trimmed | ||
| .chars() | ||
| .all(|c| c.is_alphanumeric() || c == '-' || c == '_' || c == ' ') |
There was a problem hiding this comment.
is_alphanumeric() allows non-english unicode chars. do we want that?
There was a problem hiding this comment.
Why not :)
A wallet can have a non english name I suppose
|
@mariocynicys all comments were addressed, please give this another look. |
* dev: (26 commits) chore(deps): remove base58 and replace it completely with bs58 (GLEECBTC#2427) feat(tron): initial groundwork for full TRON integration (GLEECBTC#2425) fix(UTXO): improve tx fee calculation and min relay fee handling (GLEECBTC#2316) deps(timed-map): bump to 1.3.1 (GLEECBTC#2413) improvement(tendermint): safer IBC channel handler (GLEECBTC#2298) chore(release): complete v2.4.0-beta changelogs (GLEECBTC#2436) fix(event-streaming): initial addresses registration in utxo balance streaming (GLEECBTC#2431) improvement(watchers): re-write use-watchers handling (GLEECBTC#2430) fix(evm): make withdraw_nft work in HD mode (GLEECBTC#2424) feat(taproot): support parsing taproot output address types chore(RPC): use consistent param name for QTUM delegation (GLEECBTC#2419) fix(makerbot): add LiveCoinWatch price provider (GLEECBTC#2416) chore(release): add changelog entries for v2.4.0-beta (GLEECBTC#2415) fix(wallets): prevent path traversal in `wallet_file_path` and update file extension (GLEECBTC#2400) fix(nft): make `update_nft` work with hd wallets using the enabled address (GLEECBTC#2386) fix(wasm): unify error handling for mm2_main (GLEECBTC#2389) fix(tx-history): token information and query (GLEECBTC#2404) test(electrums): fix failing test_one_unavailable_electrum_proto_version (GLEECBTC#2412) improvement(network): remove static IPs from seed lists (GLEECBTC#2407) improvement(best-orders): return an rpc error when we can't find best orders (GLEECBTC#2318) ...
3 participants
This PR prevents wallet file path traversal attacks by properly validating wallet names before constructing file paths.
Changes
wallet_file_pathto only allow alphanumeric characters, dash, and underscore in wallet names.datto.jsonto better reflect contentFixes #2355