From 9e678e2773e399c440759fc3ef6477488c319937 Mon Sep 17 00:00:00 2001 From: lserra-iov Date: Wed, 15 Jan 2025 18:59:58 -0300 Subject: [PATCH 1/5] Check for permissions before getting addresses --- src/common/services/XverseService.ts | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/src/common/services/XverseService.ts b/src/common/services/XverseService.ts index b2d866899..f86385485 100644 --- a/src/common/services/XverseService.ts +++ b/src/common/services/XverseService.ts @@ -23,7 +23,13 @@ export default class XverseService extends WalletService { } } - getAccountAddresses(): Promise { + async getAccountAddresses(): Promise { + // @ts-expect-error method type not provided + const permissions = await Wallet.request('wallet_getCurrentPermissions', undefined); + if (permissions.status !== 'success') { + // @ts-expect-error method type not provided + await Wallet.request('wallet_requestPermissions', undefined); + } return new Promise((resolve, reject) => { const walletAddresses: WalletAddress[] = []; const payload = { From 5fb522e03105e533be9ff3d6ef8bc2e6d5af3a58 Mon Sep 17 00:00:00 2001 From: Alex Braz Date: Thu, 16 Jan 2025 12:24:14 -0300 Subject: [PATCH 2/5] setting axios to v1.7.7 --- package-lock.json | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/package-lock.json b/package-lock.json index 4f48702c7..83a9d005b 100644 --- a/package-lock.json +++ b/package-lock.json @@ -7104,7 +7104,7 @@ "@rsksmart/vc-json-schemas-parser": "^1.0.1", "@types/styled-components": "5.1.30", "assert": "^2.1.0", - "axios": "^1.6.8", + "axios": "^1.7.7", "bignumber.js": "^9.1.2", "buffer": "^6.0.3", "did-resolver": "^4.1.0", @@ -7250,7 +7250,7 @@ "resolved": "https://registry.npmjs.org/@sats-connect/core/-/core-0.0.8.tgz", "integrity": "sha512-vb7drnd8lFfO4ahCzaVAFkX1eHF1J7jheJl2V/JuuJd5f1sy6nHeNzKMp1zmiuql8uNwe0Sx1WrK1I+4tUmDHg==", "dependencies": { - "axios": "1.6.8", + "axios": "1.7.7", "bitcoin-address-validation": "2.2.3", "buffer": "6.0.3", "jsontokens": "4.0.1", @@ -7258,9 +7258,9 @@ } }, "node_modules/@sats-connect/core/node_modules/axios": { - "version": "1.6.8", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz", - "integrity": "sha512-v/ZHtJDU39mDpyBoFVkETcd/uNdxrWRrg3bKpOKzXFA6Bvqopts6ALSMU3y6ijYxbw2B+wPrIv46egTzJXCLGQ==", + "version": "1.7.7", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.7.tgz", + "integrity": "sha512-S4kL7XrjgBmvdGut0sN3yJxqYzrDOnivkBiN0OFs6hLiUam3UPvswUo0kqGyhqUZGEOytHyumEdXsAkgCOUf3Q==", "dependencies": { "follow-redirects": "^1.15.6", "form-data": "^4.0.0", @@ -12413,7 +12413,7 @@ "hasInstallScript": true, "dependencies": { "@testim/chrome-version": "^1.1.4", - "axios": "^1.6.0", + "axios": "^1.7.7", "compare-versions": "^6.1.0", "extract-zip": "^2.0.1", "https-proxy-agent": "^5.0.1", @@ -26819,7 +26819,7 @@ "resolved": "https://registry.npmjs.org/@sats-connect/core/-/core-0.0.7.tgz", "integrity": "sha512-4m5amq+orHDbqLqCRWojvDQigKAys33Ntwc7U5xNtFeib4j+DpYz6lVAL/s3cay1kq03WUZ+Gil3l5rv+5bQWQ==", "dependencies": { - "axios": "1.6.8", + "axios": "1.7.7", "bitcoin-address-validation": "2.2.3", "buffer": "6.0.3", "jsontokens": "4.0.1", @@ -26832,9 +26832,9 @@ "integrity": "sha512-6MUXFDGTapBhZAxb6deAdqKuB64GOe6k927gGww5JYwVnOUCaHGDcfaZ/lwexzYL45u8RJof12I4np7MgS+Bwg==" }, "node_modules/sats-connect/node_modules/axios": { - "version": "1.6.8", - "resolved": "https://registry.npmjs.org/axios/-/axios-1.6.8.tgz", - "integrity": "sha512-v/ZHtJDU39mDpyBoFVkETcd/uNdxrWRrg3bKpOKzXFA6Bvqopts6ALSMU3y6ijYxbw2B+wPrIv46egTzJXCLGQ==", + "version": "1.7.7", + "resolved": "https://registry.npmjs.org/axios/-/axios-1.7.7.tgz", + "integrity": "sha512-S4kL7XrjgBmvdGut0sN3yJxqYzrDOnivkBiN0OFs6hLiUam3UPvswUo0kqGyhqUZGEOytHyumEdXsAkgCOUf3Q==", "dependencies": { "follow-redirects": "^1.15.6", "form-data": "^4.0.0", From 9b95f9f95b5ef48cdff0635223cf41f73f19d290 Mon Sep 17 00:00:00 2001 From: ronaldsg Date: Thu, 16 Jan 2025 12:10:59 -0500 Subject: [PATCH 3/5] Comment ledger rlogin provider inclusion on the app --- src/common/utils/rlogin.ts | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/common/utils/rlogin.ts b/src/common/utils/rlogin.ts index 2395d7f6c..eab7e9d6f 100644 --- a/src/common/utils/rlogin.ts +++ b/src/common/utils/rlogin.ts @@ -53,13 +53,11 @@ export function getRloginInstance(features: Array): RLogin { rpcUrls, supportedChains, }; - const ledgerFeature = features.find((feature) => feature.name === FeatureNames.WALLET_LEDGER); - if (ledgerFeature?.value === constants.ENABLED - && ledgerFeature.supportedBrowsers[currentBrowser.toLowerCase() as keyof SupportedBrowsers]) { - // eslint-disable-next-line @typescript-eslint/ban-ts-comment - // @ts-ignore - rLoginOptions.providerOptions['custom-ledger'] = customLedgerProviderOptions; - } + // const ledgerFeature = features.find((feature) => feature.name === FeatureNames.WALLET_LEDGER); + // if (ledgerFeature?.value === constants.ENABLED + // && ledgerFeature.supportedBrowsers[currentBrowser.toLowerCase() as keyof SupportedBrowsers]) { + // rLoginOptions.providerOptions['custom-ledger'] = customLedgerProviderOptions; + // } const trezorFeature = features.find((feature) => feature.name === FeatureNames.WALLET_TREZOR); if (trezorFeature?.value === constants.ENABLED && trezorFeature.supportedBrowsers[currentBrowser.toLowerCase() as keyof SupportedBrowsers]) { From 04bf3f8adbd12d6ecb9fedeac11ffc5bf473a3e6 Mon Sep 17 00:00:00 2001 From: Alex Braz Date: Wed, 15 Jan 2025 14:27:28 -0300 Subject: [PATCH 4/5] [VULN-598] [2WI-027] Weakened CSP --- .env.local.test | 1 + .github/workflows/deploy_MainNet_UI.yml | 1 + .github/workflows/deploy_TestNet_UI.yml | 1 + .../workflows/deploy_staging_MainNet_UI.yml | 1 + .../workflows/deploy_staging_TestNet_UI.yml | 1 + src/App.vue | 2 +- src/common/types/environment-variables.ts | 27 ++++++++++--------- src/main.ts | 1 + 8 files changed, 22 insertions(+), 13 deletions(-) diff --git a/.env.local.test b/.env.local.test index eeb81b5af..f9f8c0ec0 100644 --- a/.env.local.test +++ b/.env.local.test @@ -30,3 +30,4 @@ NODE_ENV=test VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 +VUE_APP_CSP=https://staging.lps.tekscapital.com diff --git a/.github/workflows/deploy_MainNet_UI.yml b/.github/workflows/deploy_MainNet_UI.yml index fc62cd981..feb9b252f 100644 --- a/.github/workflows/deploy_MainNet_UI.yml +++ b/.github/workflows/deploy_MainNet_UI.yml @@ -56,6 +56,7 @@ jobs: VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 + VUE_APP_CSP=https://lps.tekscapital.com npm run-script build - name: Configure AWS credentials diff --git a/.github/workflows/deploy_TestNet_UI.yml b/.github/workflows/deploy_TestNet_UI.yml index 95804c7eb..c9ebcfb47 100644 --- a/.github/workflows/deploy_TestNet_UI.yml +++ b/.github/workflows/deploy_TestNet_UI.yml @@ -56,6 +56,7 @@ jobs: VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 + VUE_APP_CSP=https://staging.lps.tekscapital.com npm run-script build - name: Configure AWS credentials diff --git a/.github/workflows/deploy_staging_MainNet_UI.yml b/.github/workflows/deploy_staging_MainNet_UI.yml index d3327aca6..97fea87e0 100644 --- a/.github/workflows/deploy_staging_MainNet_UI.yml +++ b/.github/workflows/deploy_staging_MainNet_UI.yml @@ -56,6 +56,7 @@ jobs: VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=2 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 + VUE_APP_CSP=https://lps.tekscapital.com npm run-script build - name: Configure AWS credentials diff --git a/.github/workflows/deploy_staging_TestNet_UI.yml b/.github/workflows/deploy_staging_TestNet_UI.yml index b92a88bee..276646849 100644 --- a/.github/workflows/deploy_staging_TestNet_UI.yml +++ b/.github/workflows/deploy_staging_TestNet_UI.yml @@ -56,6 +56,7 @@ jobs: VUE_APP_FLYOVER_PEGOUT_QUOTE_DIFF_PERCENTAGE=20 VUE_APP_RECAPTCHA_NEW_TOKEN_TIME=30 VUE_APP_FLYOVER_PROVIDER_ID=2 + VUE_APP_CSP=https://staging.lps.tekscapital.com npm run-script build - name: Configure AWS credentials diff --git a/src/App.vue b/src/App.vue index 70fe0f6cd..5e639e1d1 100644 --- a/src/App.vue +++ b/src/App.vue @@ -48,7 +48,7 @@ export default { script-src 'self' 'nonce-${vuetifyNonce}' 'unsafe-eval'; script-src-elem 'self' 'unsafe-inline' https://script.hotjar.com https://www.clarity.ms/s/* https://static.hotjar.com https://*.hotjar.com https://*.hotjar.io https://api.coingecko.com/ https://*.clarity.ms https://www.clarity.ms/ https://www.gstatic.com/ https://www.google.com/recaptcha/; img-src data: https:; - connect-src 'self' 'unsafe-inline' https://www.clarity.ms/s/0.7.16/clarity.js wss://* https://*.hotjar.com https://*.hotjar.io https://www.clarity.ms/s/* wss://*.hotjar.com ${envVariables.vueAppApiBaseUrl} ${envVariables.vueAppRskNodeHost} https://lps.tekscapital.com https://testnet.lps.tekscapital.com https://staging.lps.tekscapital.com https://api.coingecko.com/* https://*.clarity.ms https://www.clarity.ms/* ; + connect-src 'self' 'unsafe-inline' https://www.clarity.ms/s/0.7.16/clarity.js wss://* https://*.hotjar.com https://*.hotjar.io https://www.clarity.ms/s/* wss://*.hotjar.com ${envVariables.vueAppApiBaseUrl} ${envVariables.vueAppRskNodeHost} ${envVariables.cspConfiguration} https://api.coingecko.com/* https://*.clarity.ms https://www.clarity.ms/* ; object-src 'none'; frame-src https://connect.trezor.io https://www.google.com/; worker-src 'none'; diff --git a/src/common/types/environment-variables.ts b/src/common/types/environment-variables.ts index 0c191606d..dac5f893f 100644 --- a/src/common/types/environment-variables.ts +++ b/src/common/types/environment-variables.ts @@ -28,18 +28,6 @@ export class EnvironmentVariables { public debugMode: boolean; - public minFeeSatPerByte: { - fast: number; - average: number; - slow: number; - }; - - public miningSpeedBlock: { - fast: number; - average: number; - slow: number; - }; - public burnDustValue: number; public lbcAddress: string; @@ -54,6 +42,20 @@ export class EnvironmentVariables { public flyoverProviderId: number; + public cspConfiguration: string; + + public minFeeSatPerByte: { + fast: number; + average: number; + slow: number; + }; + + public miningSpeedBlock: { + fast: number; + average: number; + slow: number; + }; + // eslint-disable-next-line @typescript-eslint/no-explicit-any constructor(defaultValues: any = {}) { this.vueAppCoin = process.env.VUE_APP_COIN || defaultValues.vueAppCoin; @@ -104,6 +106,7 @@ export class EnvironmentVariables { || defaultValues.grecaptchaTime; this.flyoverProviderId = Number(process.env.VUE_APP_FLYOVER_PROVIDER_ID) || defaultValues.flyoverProviderId; + this.cspConfiguration = process.env.VUE_APP_CSP || defaultValues.cspConfiguration; } public get chainId(): number { diff --git a/src/main.ts b/src/main.ts index 49d212efe..26be019ea 100644 --- a/src/main.ts +++ b/src/main.ts @@ -34,6 +34,7 @@ const defaultEnvironmentVariables = { flyoverPegoutDiffPercentage: 2, flyoverProviderId: 2, grecaptchaTime: constants.RECAPTCHA_NEW_TOKEN_TIME, + cspConfiguration: 'https://testnet.lps.tekscapital.com https://staging.lps.tekscapital.com', }; EnvironmentAccessorService.initializeEnvironmentVariables(defaultEnvironmentVariables); From ce0153247663df008570e0644e7cdc165bffc8e3 Mon Sep 17 00:00:00 2001 From: Alex Braz Date: Fri, 17 Jan 2025 17:15:38 -0300 Subject: [PATCH 5/5] Update src/App.vue Co-authored-by: lserra-iov <117093501+lserra-iov@users.noreply.github.com> --- src/App.vue | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/App.vue b/src/App.vue index 5e639e1d1..618f44fcd 100644 --- a/src/App.vue +++ b/src/App.vue @@ -48,7 +48,7 @@ export default { script-src 'self' 'nonce-${vuetifyNonce}' 'unsafe-eval'; script-src-elem 'self' 'unsafe-inline' https://script.hotjar.com https://www.clarity.ms/s/* https://static.hotjar.com https://*.hotjar.com https://*.hotjar.io https://api.coingecko.com/ https://*.clarity.ms https://www.clarity.ms/ https://www.gstatic.com/ https://www.google.com/recaptcha/; img-src data: https:; - connect-src 'self' 'unsafe-inline' https://www.clarity.ms/s/0.7.16/clarity.js wss://* https://*.hotjar.com https://*.hotjar.io https://www.clarity.ms/s/* wss://*.hotjar.com ${envVariables.vueAppApiBaseUrl} ${envVariables.vueAppRskNodeHost} ${envVariables.cspConfiguration} https://api.coingecko.com/* https://*.clarity.ms https://www.clarity.ms/* ; + connect-src 'self' 'unsafe-inline' https://www.clarity.ms/s/0.7.16/clarity.js wss://* https://*.hotjar.com https://*.hotjar.io https://www.clarity.ms/s/* wss://*.hotjar.com ${envVariables.vueAppApiBaseUrl} ${envVariables.vueAppRskNodeHost} ${envVariables.cspConfiguration} https://api.coingecko.com/ https://*.clarity.ms https://www.clarity.ms/* ; object-src 'none'; frame-src https://connect.trezor.io https://www.google.com/; worker-src 'none';