From d8baf4cb78526eba1e869fbeb38328983ffa5689 Mon Sep 17 00:00:00 2001 From: Vsevolods Mihailovs Date: Tue, 26 Mar 2019 19:26:12 +0200 Subject: [PATCH] Normalize address upon transaction pool inspection (#35) * Normalize address upon tx pool inspection * Update dependencies to fix issues reported by NPM audit --- AUDIT.md | 2 - audit-ci.json | 2 +- package-lock.json | 133 +++++++++++++------------- package.json | 2 +- src/support/nonce/accountInspector.js | 6 +- test/nonce.js | 49 ++++++++++ 6 files changed, 124 insertions(+), 70 deletions(-) diff --git a/AUDIT.md b/AUDIT.md index cee6d0c..5411fcb 100644 --- a/AUDIT.md +++ b/AUDIT.md @@ -12,5 +12,3 @@ Whenever you whitelist a specific advisory it is required to refer it here and j | # | Level | Module | Title | Explanation | |------|-------|---------|------|-------------| | 782 | Moderate | lodash | Prototype Pollution | Dev dependency, path: smart-contracts: > truffle-artifactor > lodash | -| 755 | High | handlebars | Prototype Pollution | Dev dependency, path: nyc > istanbul-reports > handlebars | - diff --git a/audit-ci.json b/audit-ci.json index 4866389..52f3e78 100644 --- a/audit-ci.json +++ b/audit-ci.json @@ -2,6 +2,6 @@ "low": true, "package-manager": "auto", "report": true, - "advisories": [755, 782], + "advisories": [782], "whitelist": [] } diff --git a/package-lock.json b/package-lock.json index f06abd8..6c0e1e0 100644 --- a/package-lock.json +++ b/package-lock.json @@ -14,14 +14,14 @@ } }, "@babel/generator": { - "version": "7.3.2", - "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.3.2.tgz", - "integrity": "sha512-f3QCuPppXxtZOEm5GWPra/uYUjmNQlu9pbAD8D/9jze4pTY83rTtB1igTBSwvkeNlC5gR24zFFkz+2WHLFQhqQ==", + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@babel/generator/-/generator-7.4.0.tgz", + "integrity": "sha512-/v5I+a1jhGSKLgZDcmAUZ4K/VePi43eRkUs3yePW1HB1iANOD5tqJXwGSG4BZhSksP8J9ejSlwGeTiiOFZOrXQ==", "dev": true, "requires": { - "@babel/types": "^7.3.2", + "@babel/types": "^7.4.0", "jsesc": "^2.5.1", - "lodash": "^4.17.10", + "lodash": "^4.17.11", "source-map": "^0.5.0", "trim-right": "^1.0.1" }, @@ -55,12 +55,12 @@ } }, "@babel/helper-split-export-declaration": { - "version": "7.0.0", - "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.0.0.tgz", - "integrity": "sha512-MXkOJqva62dfC0w85mEf/LucPPS/1+04nmmRMPEBUB++hiiThQ2zPtX/mEWQ3mtzCEjIJvPY8nuwxXtQeQwUag==", + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@babel/helper-split-export-declaration/-/helper-split-export-declaration-7.4.0.tgz", + "integrity": "sha512-7Cuc6JZiYShaZnybDmfwhY4UYHzI6rlqhWjaIqbsJGsIqPimEYy5uh3akSRLMg65LSdSEnJ8a8/bWQN6u2oMGw==", "dev": true, "requires": { - "@babel/types": "^7.0.0" + "@babel/types": "^7.4.0" } }, "@babel/highlight": { @@ -112,37 +112,37 @@ } }, "@babel/parser": { - "version": "7.3.2", - "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.3.2.tgz", - "integrity": "sha512-QzNUC2RO1gadg+fs21fi0Uu0OuGNzRKEmgCxoLNzbCdoprLwjfmZwzUrpUNfJPaVRwBpDY47A17yYEGWyRelnQ==", + "version": "7.4.2", + "resolved": "https://registry.npmjs.org/@babel/parser/-/parser-7.4.2.tgz", + "integrity": "sha512-9fJTDipQFvlfSVdD/JBtkiY0br9BtfvW2R8wo6CX/Ej2eMuV0gWPk1M67Mt3eggQvBqYW1FCEk8BN7WvGm/g5g==", "dev": true }, "@babel/template": { - "version": "7.2.2", - "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.2.2.tgz", - "integrity": "sha512-zRL0IMM02AUDwghf5LMSSDEz7sBCO2YnNmpg3uWTZj/v1rcG2BmQUvaGU8GhU8BvfMh1k2KIAYZ7Ji9KXPUg7g==", + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@babel/template/-/template-7.4.0.tgz", + "integrity": "sha512-SOWwxxClTTh5NdbbYZ0BmaBVzxzTh2tO/TeLTbF6MO6EzVhHTnff8CdBXx3mEtazFBoysmEM6GU/wF+SuSx4Fw==", "dev": true, "requires": { "@babel/code-frame": "^7.0.0", - "@babel/parser": "^7.2.2", - "@babel/types": "^7.2.2" + "@babel/parser": "^7.4.0", + "@babel/types": "^7.4.0" } }, "@babel/traverse": { - "version": "7.2.3", - "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.2.3.tgz", - "integrity": "sha512-Z31oUD/fJvEWVR0lNZtfgvVt512ForCTNKYcJBGbPb1QZfve4WGH8Wsy7+Mev33/45fhP/hwQtvgusNdcCMgSw==", + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@babel/traverse/-/traverse-7.4.0.tgz", + "integrity": "sha512-/DtIHKfyg2bBKnIN+BItaIlEg5pjAnzHOIQe5w+rHAw/rg9g0V7T4rqPX8BJPfW11kt3koyjAnTNwCzb28Y1PA==", "dev": true, "requires": { "@babel/code-frame": "^7.0.0", - "@babel/generator": "^7.2.2", + "@babel/generator": "^7.4.0", "@babel/helper-function-name": "^7.1.0", - "@babel/helper-split-export-declaration": "^7.0.0", - "@babel/parser": "^7.2.3", - "@babel/types": "^7.2.2", + "@babel/helper-split-export-declaration": "^7.4.0", + "@babel/parser": "^7.4.0", + "@babel/types": "^7.4.0", "debug": "^4.1.0", "globals": "^11.1.0", - "lodash": "^4.17.10" + "lodash": "^4.17.11" }, "dependencies": { "debug": { @@ -169,13 +169,13 @@ } }, "@babel/types": { - "version": "7.3.2", - "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.3.2.tgz", - "integrity": "sha512-3Y6H8xlUlpbGR+XvawiH0UXehqydTmNmEpozWcXymqwcrwYAl5KMvKtQ+TF6f6E08V6Jur7v/ykdDSF+WDEIXQ==", + "version": "7.4.0", + "resolved": "https://registry.npmjs.org/@babel/types/-/types-7.4.0.tgz", + "integrity": "sha512-aPvkXyU2SPOnztlgo8n9cEiXW755mgyvueUPcpStqdzoSPm0fjO0vQBjLkt3JKJW7ufikfcnMTTPsN1xaTsBPA==", "dev": true, "requires": { "esutils": "^2.0.2", - "lodash": "^4.17.10", + "lodash": "^4.17.11", "to-fast-properties": "^2.0.0" }, "dependencies": { @@ -1857,19 +1857,24 @@ } }, "identity-com-smart-contracts": { - "version": "github:identity-com/smart-contracts#de66eaa9a4001947f7da5a922c7755686d84f616", + "version": "github:identity-com/smart-contracts#b8fa8e1d36e02f0a77f7c5ed331ddbd6e98e4374", "from": "github:identity-com/smart-contracts", "dev": true, "requires": { "babel-register": "^6.26.0", "bignumber.js": "^4.0.4", "ethereumjs-tx": "^1.3.3", + "js-cache": "^1.0.2", "lodash": "^4.17.4", + "make-error-cause": "^2.0.0", "openzeppelin-solidity": "1.10.0", + "serialize-error": "^2.1.0", "truffle": "^4.1.11", "truffle-artifactor": "^3.0.6", "truffle-contract": "^3.0.2", - "web3": "^0.20.6" + "util.promisify": "^1.0.0", + "web3": "^0.20.6", + "web3admin": "github:identity-com/web3admin#0.0.1" } }, "ignore": { @@ -2165,9 +2170,9 @@ "integrity": "sha1-mGbfOVECEw449/mWvOtlRDIJwls=" }, "js-yaml": { - "version": "3.12.0", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.12.0.tgz", - "integrity": "sha512-PIt2cnwmPfL4hKNwqeiuz4bKfnzHTBv6HyVgjahA6mPLwPDzjDWrplJBMjHUFxku/N3FlmrbyPclad+I+4mJ3A==", + "version": "3.13.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.13.0.tgz", + "integrity": "sha512-pZZoSxcCYco+DIKBTimr67J6Hy+EYGZDY/HCWC+iAEA9h1ByhMXAIVUXMcMFpOCxQ/xjXmPI2MkDL5HRm5eFrQ==", "dev": true, "requires": { "argparse": "^1.0.7", @@ -2760,9 +2765,9 @@ } }, "nyc": { - "version": "13.2.0", - "resolved": "https://registry.npmjs.org/nyc/-/nyc-13.2.0.tgz", - "integrity": "sha512-gQBlOqvfpYt9b2PZ7qElrHWt8x4y8ApNfbMBoDPdl3sY4/4RJwCxDGTSqhA9RnaguZjS5nW7taW8oToe86JLgQ==", + "version": "13.3.0", + "resolved": "https://registry.npmjs.org/nyc/-/nyc-13.3.0.tgz", + "integrity": "sha512-P+FwIuro2aFG6B0Esd9ZDWUd51uZrAEoGutqZxzrVmYl3qSfkLgcQpBPBjtDFsUQLFY1dvTQJPOyeqr8S9GF8w==", "dev": true, "requires": { "archy": "^1.0.0", @@ -2775,10 +2780,10 @@ "glob": "^7.1.3", "istanbul-lib-coverage": "^2.0.3", "istanbul-lib-hook": "^2.0.3", - "istanbul-lib-instrument": "^3.0.1", + "istanbul-lib-instrument": "^3.1.0", "istanbul-lib-report": "^2.0.4", "istanbul-lib-source-maps": "^3.0.2", - "istanbul-reports": "^2.1.0", + "istanbul-reports": "^2.1.1", "make-dir": "^1.3.0", "merge-source-map": "^1.1.0", "resolve-from": "^4.0.0", @@ -2815,11 +2820,11 @@ "dev": true }, "async": { - "version": "2.6.1", + "version": "2.6.2", "bundled": true, "dev": true, "requires": { - "lodash": "^4.17.10" + "lodash": "^4.17.11" } }, "balanced-match": { @@ -2836,11 +2841,6 @@ "concat-map": "0.0.1" } }, - "builtin-modules": { - "version": "1.1.1", - "bundled": true, - "dev": true - }, "caching-transform": { "version": "3.0.1", "bundled": true, @@ -3039,7 +3039,7 @@ "dev": true }, "handlebars": { - "version": "4.0.12", + "version": "4.1.0", "bundled": true, "dev": true, "requires": { @@ -3103,14 +3103,6 @@ "bundled": true, "dev": true }, - "is-builtin-module": { - "version": "1.0.0", - "bundled": true, - "dev": true, - "requires": { - "builtin-modules": "^1.0.0" - } - }, "is-fullwidth-code-point": { "version": "2.0.0", "bundled": true, @@ -3179,11 +3171,11 @@ } }, "istanbul-reports": { - "version": "2.1.0", + "version": "2.1.1", "bundled": true, "dev": true, "requires": { - "handlebars": "^4.0.11" + "handlebars": "^4.1.0" } }, "json-parse-better-errors": { @@ -3255,13 +3247,13 @@ } }, "mem": { - "version": "4.0.0", + "version": "4.1.0", "bundled": true, "dev": true, "requires": { "map-age-cleaner": "^0.1.1", "mimic-fn": "^1.0.0", - "p-is-promise": "^1.1.0" + "p-is-promise": "^2.0.0" } }, "merge-source-map": { @@ -3323,12 +3315,12 @@ "dev": true }, "normalize-package-data": { - "version": "2.4.0", + "version": "2.5.0", "bundled": true, "dev": true, "requires": { "hosted-git-info": "^2.1.4", - "is-builtin-module": "^1.0.0", + "resolve": "^1.10.0", "semver": "2 || 3 || 4 || 5", "validate-npm-package-license": "^3.0.1" } @@ -3389,7 +3381,7 @@ "dev": true }, "p-is-promise": { - "version": "1.1.0", + "version": "2.0.0", "bundled": true, "dev": true }, @@ -3449,6 +3441,11 @@ "bundled": true, "dev": true }, + "path-parse": { + "version": "1.0.6", + "bundled": true, + "dev": true + }, "path-type": { "version": "3.0.0", "bundled": true, @@ -3521,6 +3518,14 @@ "bundled": true, "dev": true }, + "resolve": { + "version": "1.10.0", + "bundled": true, + "dev": true, + "requires": { + "path-parse": "^1.0.6" + } + }, "resolve-from": { "version": "4.0.0", "bundled": true, @@ -4753,7 +4758,7 @@ "resolved": "http://registry.npmjs.org/web3/-/web3-0.20.6.tgz", "integrity": "sha1-PpcwauAk+yThCj11yIQwJWIhUSA=", "requires": { - "bignumber.js": "git+https://github.com/frozeman/bignumber.js-nolookahead.git#57692b3ecfc98bbdd6b3a516cb2353652ea49934", + "bignumber.js": "git+https://github.com/frozeman/bignumber.js-nolookahead.git", "crypto-js": "^3.1.4", "utf8": "^2.1.1", "xhr2": "*", @@ -4881,7 +4886,7 @@ "resolved": "https://registry.npmjs.org/web3/-/web3-0.20.7.tgz", "integrity": "sha512-VU6/DSUX93d1fCzBz7WP/SGCQizO1rKZi4Px9j/3yRyfssHyFcZamMw2/sj4E8TlfMXONvZLoforR8B4bRoyTQ==", "requires": { - "bignumber.js": "git+https://github.com/frozeman/bignumber.js-nolookahead.git#57692b3ecfc98bbdd6b3a516cb2353652ea49934", + "bignumber.js": "git+https://github.com/frozeman/bignumber.js-nolookahead.git", "crypto-js": "^3.1.4", "utf8": "^2.1.1", "xhr2-cookies": "^1.1.0", diff --git a/package.json b/package.json index ce01f6b..f99bac0 100644 --- a/package.json +++ b/package.json @@ -74,7 +74,7 @@ "mocha": "^4.1.0", "node-fetch": "^2.3.0", "npm-run-all": "^4.1.5", - "nyc": "^13.2.0", + "nyc": "^13.3.0", "prettier": "1.10.2", "proxyquire": "^2.1.0", "sinon": "^6.0.1", diff --git a/src/support/nonce/accountInspector.js b/src/support/nonce/accountInspector.js index 324e8ec..86c0b43 100644 --- a/src/support/nonce/accountInspector.js +++ b/src/support/nonce/accountInspector.js @@ -1,3 +1,4 @@ +const ethUtil = require('ethereumjs-util'); const util = require('util'); module.exports = class AccountInspector { @@ -46,9 +47,10 @@ module.exports = class AccountInspector { } return reject(error); } + const checksummedAddress = ethUtil.toChecksumAddress(address); return resolve({ - pending: result.pending[address] || {}, - queued: result.queued[address] || {} + pending: result.pending[checksummedAddress] || {}, + queued: result.queued[checksummedAddress] || {} }); }); }); diff --git a/test/nonce.js b/test/nonce.js index 0b75fc7..2ae5aa9 100644 --- a/test/nonce.js +++ b/test/nonce.js @@ -2,8 +2,11 @@ const chai = require('chai'); const sinon = require('sinon'); const util = require('../src/support/nonce/util'); +const ethUtil = require('ethereumjs-util'); const AccountInspector = require('../src/support/nonce/accountInspector'); const InMemoryNonceManager = require('../src/support/nonce/inmemory'); +const Web3 = require('web3'); +const FakeProvider = require('web3-fake-provider'); const _ = require('lodash'); chai.use(require('chai-as-promised')); @@ -136,4 +139,50 @@ describe('nonce management', () => { expect(nextNonce).to.be.equal(nonce, 'must be the same nonce, because account store was cleared'); }); }); + + describe('account inspector', () => { + let accountInspector; + const address1 = '0x123ABC'; + const address2 = '0x321CBA'; + const address1Checksummed = ethUtil.toChecksumAddress(address1); + const address2Checksummed = ethUtil.toChecksumAddress(address2); + + const txPool = { + pending: { + [address1Checksummed]: { + 10: 'tx' + }, + [address2Checksummed]: { + 10: 'tx' + } + }, + queued: { + [address1Checksummed]: { + 12: 'tx' + } + } + }; + + beforeEach(() => { + const web3 = new Web3(new FakeProvider()); + web3.txpool = { inspect: cb => cb(null, txPool) }; + accountInspector = new AccountInspector(web3); + }); + + it('should inspect tx pool for non-checksummed addresses', async () => { + const accountTxPool = await accountInspector.inspectTxPool(address1); + expect(accountTxPool).to.deep.equal({ + pending: txPool.pending[address1Checksummed] || {}, + queued: txPool.queued[address1Checksummed] || {} + }); + }); + + it('should inspect tx pool for checksummed addresses', async () => { + const accountTxPool = await accountInspector.inspectTxPool(address2Checksummed); + expect(accountTxPool).to.deep.equal({ + pending: txPool.pending[address2Checksummed] || {}, + queued: txPool.queued[address2Checksummed] || {} + }); + }); + }); });