Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(web connector): unify sendable schema with klesia #220

Merged
merged 2 commits into from
Nov 6, 2024
Merged

chore(web connector): unify sendable schema with klesia #220

merged 2 commits into from
Nov 6, 2024

Conversation

mrcnk
Copy link
Member

@mrcnk mrcnk commented Nov 4, 2024

Describe changes

Ticket or discussion link

Review checklist

  • Proper documentation added
  • Proper tests added

Screenshots

@deepsource-io deepsource.io
Copy link

deepsource-io bot commented Nov 4, 2024
edited
Loading

Here's the code health analysis summary for commits a3ef42b..811802a. View details on DeepSource ↗.

Analysis Summary

AnalyzerStatusSummaryLink
DeepSource JavaScript LogoJavaScript✅ Success
❗ 13 occurences introduced
🎯 44 occurences resolved
View Check ↗
💡 If you’re a repository administrator, you can configure the quality gates from the settings.

github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 6, 2024
View reviewed changes
packages/vault/src/account/accountStore.ts
}
state.accounts[network][address] = {
state.accounts[networkId][address] = {

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix AI 2 months ago

To fix the prototype pollution issue, we need to ensure that networkId cannot be set to special property names like __proto__, constructor, or prototype. One effective way to do this is to validate the networkId before using it as a key in the state.accounts object. If the networkId is invalid, we can either throw an error or handle it appropriately.

We will add a validation function to check for these special property names and use this function before any assignment to state.accounts[networkId].

Suggested changeset 1
packages/vault/src/account/accountStore.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vault/src/account/accountStore.ts b/packages/vault/src/account/accountStore.ts
--- a/packages/vault/src/account/accountStore.ts
+++ b/packages/vault/src/account/accountStore.ts
@@ -9,2 +9,6 @@
 
+const isValidKey = (key) => {
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+};
+
 export const initialAccountStoreState: AccountState = {
@@ -23,3 +27,3 @@
       produce((state) => {
-        if (!state.accounts[networkId]?.[address]) {
+        if (isValidKey(networkId) && !state.accounts[networkId]?.[address]) {
           if (!state.accounts[networkId]) {
@@ -40,5 +44,7 @@
       produce((state) => {
-        state.accounts[network][address] = {
-          ...account,
-          accountInfo,
+        if (isValidKey(network)) {
+          state.accounts[network][address] = {
+            ...account,
+            accountInfo,
+          }
         }
@@ -52,5 +58,7 @@
       produce((state) => {
-        state.accounts[network][address] = {
-          ...account,
-          transactions,
+        if (isValidKey(network)) {
+          state.accounts[network][address] = {
+            ...account,
+            transactions,
+          }
         }
@@ -62,3 +70,3 @@
       produce((state) => {
-        if (!state.accounts?.[network]?.[address]) {
+        if (isValidKey(network) && !state.accounts?.[network]?.[address]) {
           state.accounts[network] = state.accounts[network] || {}
@@ -74,3 +82,5 @@
       produce((state) => {
-        delete state.accounts[network][address]
+        if (isValidKey(network)) {
+          delete state.accounts[network][address]
+        }
       }),
EOF
@@ -9,2 +9,6 @@

const isValidKey = (key) => {
return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
};

export const initialAccountStoreState: AccountState = {
@@ -23,3 +27,3 @@
produce((state) => {
if (!state.accounts[networkId]?.[address]) {
if (isValidKey(networkId) && !state.accounts[networkId]?.[address]) {
if (!state.accounts[networkId]) {
@@ -40,5 +44,7 @@
produce((state) => {
state.accounts[network][address] = {
...account,
accountInfo,
if (isValidKey(network)) {
state.accounts[network][address] = {
...account,
accountInfo,
}
}
@@ -52,5 +58,7 @@
produce((state) => {
state.accounts[network][address] = {
...account,
transactions,
if (isValidKey(network)) {
state.accounts[network][address] = {
...account,
transactions,
}
}
@@ -62,3 +70,3 @@
produce((state) => {
if (!state.accounts?.[network]?.[address]) {
if (isValidKey(network) && !state.accounts?.[network]?.[address]) {
state.accounts[network] = state.accounts[network] || {}
@@ -74,3 +82,5 @@
produce((state) => {
delete state.accounts[network][address]
if (isValidKey(network)) {
delete state.accounts[network][address]
}
}),
Copilot is powered by AI and may make mistakes. Always verify output.
Positive Feedback
Negative Feedback

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Please select one or more of the options
@mrcnk mrcnk merged commit 2f43e8d into main Nov 6, 2024
4 checks passed
@mrcnk mrcnk deleted the chore/unify-sendable-schema branch November 6, 2024 13:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mrcnk