Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Risk setting in the runGetMethod from API file #2

Open
MDDAIEXPOSER opened this issue Feb 7, 2023 · 0 comments
Open

Risk setting in the runGetMethod from API file #2

MDDAIEXPOSER opened this issue Feb 7, 2023 · 0 comments

Comments

@MDDAIEXPOSER
Copy link

MDDAIEXPOSER commented Feb 7, 2023
edited
Loading

Bug Type

Security

Reproduction steps

  1. Check code from dTonAPI
  2. The defaultOptions for Apollo Client are set to watchQuery and query with fetchPolicy: 'no-cache' and errorPolicy: 'ignore' or 'all', respectively. This can have an impact on the reliability and security of the data returned from the API.
  3. Additionally, the code does not validate the inputs from the user, which could result in potential security issues if an attacker provides malicious input to the methods. For example, the runGetMethod method accepts a "method" and a "stack" parameter, which are used in the query to the server. If an attacker provides a malicious "method" or "stack" parameter, the server may execute unintended code or return unintended data. It is important to validate user inputs and sanitize them before using them in a query.

An attacker could provide a malicious input in the "stack" parameter in the "runGetMethod" method by injecting arbitrary code in the form of smart contract operations into the stack. This could potentially lead to execution of arbitrary code and compromise of sensitive data, such as private keys or financial information stored on the blockchain. To prevent this, it is important to properly validate and sanitize any user-provided input before using it in smart contract operations. This may include checking for valid types, proper encoding, and conformance to expected input ranges.

Actual result

The method must work with protected data processed before use

Expected result

We are well aware that there is a firewall that protects the target machine from being compromised. But the code contains risk vectors presented as parameters without filtering.

Suggested Severity

Medium

Device

Desktop (please complete the following information):

  • Windows
  • 10

Additional Context

`import {ApolloClient, InMemoryCache, ApolloProvider, gql} from '@apollo/client';
import {Address} from "ton3-core";
import {createHttpLink} from 'apollo-link-http';

export default class dTonAPI {
constructor() {
const defaultOptions = {
watchQuery: {
fetchPolicy: 'no-cache',
errorPolicy: 'ignore',
},
query: {
fetchPolicy: 'no-cache',
errorPolicy: 'all',
},
}

    this.client = new ApolloClient({
        link: new createHttpLink(
            {
                uri: "https://dton.io/graphql/"
            }
        ),
        fetchOptions: {
            mode: 'no-cors',
        },
        defaultOptions: defaultOptions,
        cache: new InMemoryCache({addTypename: false})
    });
}

getTransactionCount = (address) => {
    const tonAddress = new Address(address)
    const rawAddress = tonAddress.toString('raw');

    return this.client.query({
        query: gql`{

accountTransactionCount(
address: "${rawAddress.slice(2, rawAddress.length)}"
workchain: ${tonAddress.workchain}
)
}
`,
}, {fetchPolicy: "no-cache"})
}

calculateJettonAddress = (jettonAddress, userAddress) => {
    return this.client.query({
        query: gql`{

getJettonWalletAddress(
minter_address: "${jettonAddress}"
user_address: "${userAddress}"
)
}
`,
}, {fetchPolicy: "no-cache"})
}

getNftOwner = (address) => {
    const tonAddress = new Address(address)
    const rawAddress = tonAddress.toString('raw');


    return this.client.query({
        query: gql`{

transactions(
address: "${rawAddress.slice(2, rawAddress.length)}"
workchain: ${tonAddress.workchain}
page_size: 1
) {
parsed_nft_owner_address_address
parsed_nft_owner_address_workchain
}
}`,
}, {fetchPolicy: "no-cache"})
}

getContractInfo = (address) => {
    const tonAddress = new Address(address)
    const rawAddress = tonAddress.toString('raw');


    return this.client.query({
        query: gql`{

transactions(
address: "${rawAddress.slice(2, rawAddress.length)}"
workchain: ${tonAddress.workchain}
page_size: 1
) {
account_storage_balance_grams
account_state_state_init_code
}

accountTransactionCount(
address: "${rawAddress.slice(2, rawAddress.length)}"
workchain: ${tonAddress.workchain}
)
}`,
}, {fetchPolicy: "no-cache"})
}

getNftContent = (address) => {
    const tonAddress = new Address(address)
    const rawAddress = tonAddress.toString('raw');


    return this.client.query({
        query: gql`{

transactions(
address: "${rawAddress.slice(2, rawAddress.length)}"
workchain: ${tonAddress.workchain}
page_size: 1
) {
parsed_nft_content_offchain_url
}
}`,
}, {fetchPolicy: "no-cache"})
}

runGetMethod = (address, method, stack) => {
    const tonAddress = new Address(address)
    const rawAddress = tonAddress.toString('raw');

    const stackSerialized = stack.map(x => `{value_type: "${x.type}", value: "${x.value}"}`).join(",")

    return this.client.query({
        query: gql`

mutation {
run_method(
stack: [${stackSerialized}]
method_name: "${method}"
account_search_by_address: {address: "${rawAddress.slice(2, rawAddress.length)}", workchain: ${tonAddress.workchain}}
) {
stack {
value
value_type
}
exit_code
}
}, }, {fetchPolicy: "no-cache"}) } }
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@MDDAIEXPOSER