fix(connector-besu/quorum/xdai): unvalidated dynamic method call #1912
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added checks to make sure that the Web3 Contract instances
"methods" object has a property of their own called
the same way the method is called by the request
object. This way if someone tries to execute malicious
code by providing method names that are designed to
execute something other than the smart contract methods
we throw back an error to them instead of complying.
This is needed to fix the following CodeQL security advisories:
https://github.com/hyperledger/cactus/security/code-scanning/23
https://github.com/hyperledger/cactus/security/code-scanning/24
https://github.com/hyperledger/cactus/security/code-scanning/25
https://github.com/hyperledger/cactus/security/code-scanning/26
Todo for later: create a web3-common package that can
be used to house re-usable pieces of code such as the
function that validates if a contract really has a certain
method or not. Right now this method is copy pasted
to all 3 web3 flavored connectors which is not very nice.
Fixes #1911
Signed-off-by: Peter Somogyvari [email protected]