fix: current-cycle-hash resp type issue #35

tanuj-shardeum · 2024-06-17T09:24:47Z

No description provided.

linear · 2024-06-17T09:24:50Z

BLUE-117 syncV2 is breaking in archiver due to 'current-cycle-hash'

ISSUE SUMMARY:

The current-cycle-hash endpoint https://github.com/shardeum/shardus-core/blob/1fa5f1c32f4b1044ea4dbb217a4ebb23a0596eb6/src/p2p/SyncV2/routes.ts#L52) seems to be changed recently. Basically, the response of it appears to be now as text , which seemed to be json before.

const res = await get(url)

  if (res.ok) {
    return (await res.json()) as T
  } else {
    throw new Error(`get failed with status ${res.statusText}`)
  }

I had to change the above code in the archiver

archive-server/src/sync-v2/queries.ts

Line 43 in 2790f66

const res = await get(url)

in the as following to get it working as a temp solution.

  const res = await get(url)

  if (res.ok) {
    let result
    if (url.includes('current-cycle-hash')) result = await res.text()
    else  result = await res.json()
    return (result) as T
  } else {
    throw new Error(`get failed with status ${res.statusText}`)
  }

<<TODO: Replace this with a short summary of the issue.>>

ISSUE REPRO STEPS:

<HINT: Add steps to list as-needed. If interaction is complex, add screenshots or a Slack screen-capture video (just drag and drop)>

<<TODO: Replace with repro step Bump the npm_and_yarn group across 1 directory with 3 updates #1>>
<<TODO: Replace with repro step Challenge receipt #2>>
Observe <<TODO: Describe unintended behavior.>>

EXPECTED RESULT:

<<TODO: Replace this with your expected results.>>

PULL REQUESTS:

<HINT: If your fix requires changes in multiple repos, add the following info per-repository.>

<<TODO: Enter Repository Name>>

Pull Request Link: <<TODO: Insert PR-LINK>>

GPT Review Link: <<TODO: Insert GPT-Review-Link>>

Jenkins Test Link: <<TODO: Insert Jenkins Test Job Link>>

ADDITIONAL INSTRUCTIONS:

<HINT: Add any additional instructions needed for the assignee. If you have specific requirements for how the task should be implemented or fixed, enter them or link them here.>

<<TODO: Insert additional instructions for assignee.>>

src/Data/Collector.ts

-  )
+  if (savedReceiptsCount > 0)
+    Logger.mainLogger.debug(
+      `Clean ${savedReceiptsCount} old receipts from the processed receipts cache on cycle ${getCurrentCycleCounter()}`


The problem with the code is that it logs user-provided data without sanitizing it first. This can lead to log injection attacks where an attacker can manipulate the log entries by providing malicious input.

To fix this issue, we need to sanitize the user-provided data before logging it. In this case, we can use the String.prototype.replace method to remove any newline characters from the user-provided data. This will prevent the attacker from creating new log entries by injecting newline characters into the input.

In the file src/API.ts, we need to sanitize the gossipPayload variable before passing it to the Collector.validateGossipData and Collector.processGossipData methods. We can do this by replacing all newline characters in the gossipPayload string with an empty string.

In the file src/Data/Collector.ts, we need to sanitize the getCurrentCycleCounter() function call before logging it. We can do this by converting the result of the function call to a string and then replacing all newline characters with an empty string.

src/Data/Collector.ts

-  )
+  if (savedOriginalTxsCount > 0)
+    Logger.mainLogger.debug(
+      `Clean ${savedOriginalTxsCount} old originalTxsData from the processed originalTxsData cache on cycle ${getCurrentCycleCounter()}`


The problem with the code is that it logs user-provided data without sanitizing it first. This can lead to log injection attacks where a malicious user can manipulate the log entries by providing input with special characters that are interpreted when the log output is displayed.

To fix this issue, we need to sanitize the user-provided data before logging it. In this case, we can use the String.prototype.replace method to remove any newline characters from the user-provided data. This will prevent the user from injecting new log entries by providing input with newline characters.

In the file src/API.ts, we need to sanitize the gossipPayload variable before logging it. We can do this by replacing all newline characters in the gossipPayload variable with an empty string.

In the file src/Data/Collector.ts, we need to sanitize the getCurrentCycleCounter() function before logging it. We can do this by converting the function's return value to a string and then replacing all newline characters in the string with an empty string.

afostr and others added 3 commits June 16, 2024 09:33

baked in newPOQReceipt = false

05b4d75

3.4.20

e4e0405

Added the before/after account hash exist check in the appliedReceipt

a270ead

tanuj-shardeum requested a review from jairajdev June 17, 2024 09:24

jairajdev previously approved these changes Jun 17, 2024

View reviewed changes

jairajdev and others added 2 commits June 17, 2024 17:36

Additional hardening for old POQ

b5333f9

fix: current-cycle-hash resp type issue

00e6712

afostr dismissed jairajdev’s stale review via 00e6712 June 17, 2024 22:12

afostr force-pushed the BLUE-117 branch from bafbd7f to 00e6712 Compare June 17, 2024 22:12

3.4.21

13cfc2e

github-advanced-security bot found potential problems Jun 17, 2024

View reviewed changes

afostr merged commit 13cfc2e into dev Jun 17, 2024
1 check passed

mhanson-github deleted the BLUE-117 branch September 5, 2024 02:54

@@ -1254,6 +1254,9 @@
               }
-              if (savedReceiptsCount > 0)
+              if (savedReceiptsCount > 0) {
+                // Sanitize getCurrentCycleCounter() by replacing newline characters
+                const sanitizedCycleCounter = String(getCurrentCycleCounter()).replace(/\n|\r/g, "")
                 Logger.mainLogger.debug(
-                  `Clean ${savedReceiptsCount} old receipts from the processed receipts cache on cycle ${getCurrentCycleCounter()}`
+                  `Clean ${savedReceiptsCount} old receipts from the processed receipts cache on cycle ${sanitizedCycleCounter}`
                 )
+              }
             }

@@ -838,3 +838,5 @@
               server.post('/gossip-data', async (_request: GossipDataRequest, reply) => {
-                const gossipPayload = _request.body
+                let gossipPayload = _request.body
+                // Sanitize gossipPayload by replacing newline characters
+                gossipPayload = JSON.parse(JSON.stringify(gossipPayload).replace(/\\n|\\r/g, ""))
                 if (config.VERBOSE)

@@ -840,3 +840,3 @@
                 if (config.VERBOSE)
-                  Logger.mainLogger.debug('Gossip Data received', StringUtils.safeStringify(gossipPayload))
+                  Logger.mainLogger.debug('Gossip Data received', StringUtils.safeStringify(gossipPayload).replace(/\n|\r/g, ""))
                 const result = Collector.validateGossipData(gossipPayload)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: current-cycle-hash resp type issue #35

fix: current-cycle-hash resp type issue #35

tanuj-shardeum commented Jun 17, 2024

linear bot commented Jun 17, 2024

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

fix: current-cycle-hash resp type issue #35

fix: current-cycle-hash resp type issue #35

Conversation

tanuj-shardeum commented Jun 17, 2024

linear bot commented Jun 17, 2024