chore: security hardening (#33)

ExodusMovement · Jan 24, 2024 · af8ce4f · af8ce4f
1 parent 8e91cce
commit af8ce4f
Show file tree

Hide file tree

Showing 9 changed files with 21 additions and 11 deletions.
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -0,0 +1,3 @@
+/.github/ @ExodusMovement/auditors
+/.github/*.md
+/.github/SECURITY.md @ExodusMovement/auditors
diff --git a/.github/workflows/asana.yaml b/.github/workflows/asana.yaml
@@ -1,9 +1,13 @@
 name: Asana
+
 on:
   issues:
     types: [opened, closed, edited]
   pull_request:
     types: [opened, closed, edited]
+
+permissions: {}
+
 jobs:
   link:
     name: Link

diff --git a/.github/workflows/checks.yaml b/.github/workflows/checks.yaml
@@ -11,6 +11,9 @@ on:
     branches:
       - master # Keeps the action's cache up-to-date to be shared with PRs
 
+permissions:
+  contents: read
+
 env:
   DISABLE_NX_CACHE: ${{ contains(github.event.pull_request.labels.*.name, 'disable-nx-cache') && 'yes' || 'no' }}
 

diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -50,7 +50,7 @@ jobs:
         # Prefix the list here with "+" to use these queries and those in the config file.
 
         # Details on CodeQL's query packs refer to : https://docs.github.com/en/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/configuring-code-scanning#using-queries-in-ql-packs
-        # queries: security-extended,security-and-quality
+        queries: security-extended,security-and-quality
 
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, Go, or Java).

diff --git a/features/keychain/module/__tests__/example.integration-test.js b/features/keychain/module/__tests__/example.integration-test.js
@@ -16,7 +16,7 @@ const { solana: asset } = connectAssetsList(solanaAssets)
 
 const keychain = keychainDefinition.factory({
   logger: console,
-  legacyPrivToPub: {},
+  legacyPrivToPub: Object.create(null),
 })
 
 keychain.unlock({ seed })
@@ -43,7 +43,7 @@ const BOB_KEY = new KeyIdentifier({
 test('unlock', async () => {
   const keychain = keychainDefinition.factory({
     logger: console,
-    legacyPrivToPub: {},
+    legacyPrivToPub: Object.create(null),
   })
 
   await expect(keychain.exportKey(solanaKeyId)).rejects.toThrow()
@@ -56,7 +56,7 @@ test('unlock', async () => {
 test('lock', async () => {
   const keychain = keychainDefinition.factory({
     logger: console,
-    legacyPrivToPub: {},
+    legacyPrivToPub: Object.create(null),
   })
 
   keychain.unlock({ seed })

diff --git a/features/keychain/module/__tests__/key-identifier.test.js b/features/keychain/module/__tests__/key-identifier.test.js
@@ -5,7 +5,7 @@ describe('KeyIdentifier', () => {
     const failures = [
       null,
       undefined,
-      {},
+      Object.create(null),
       // Missing parameters
 
       {

diff --git a/features/keychain/module/__tests__/keychain.integration-test.js b/features/keychain/module/__tests__/keychain.integration-test.js
@@ -233,7 +233,7 @@ describe.each([
           keyType: 'secp256k1',
         }),
       ]
-      const unsignedTx = {}
+      const unsignedTx = Object.create(null)
 
       await keychain.signTx(
         keyIds,

diff --git a/features/keychain/module/keychain.js b/features/keychain/module/keychain.js
@@ -26,7 +26,7 @@ export class Keychain extends ExodusModule {
   #legacyPrivToPub = null
 
   // TODO: remove default param. Use it temporarily for backward compatibility.
-  constructor({ legacyPrivToPub = {}, logger }) {
+  constructor({ legacyPrivToPub = Object.create(null), logger }) {
     super({ name: MODULE_ID, logger })
 
     throwIfInvalidLegacyPrivToPub(legacyPrivToPub)
@@ -62,7 +62,7 @@ export class Keychain extends ExodusModule {
     return this.#masters[derivationAlgorithm].derive(derivationPath)
   }
 
-  async exportKey(keyId, { exportPrivate } = {}) {
+  async exportKey(keyId, { exportPrivate } = Object.create(null)) {
     const hdkey = this.#getPrivateHDKey(keyId)
     const privateKey = hdkey.privateKey
     let publicKey = hdkey.publicKey
@@ -128,7 +128,7 @@ export class Keychain extends ExodusModule {
   }
 }
 
-const createKeychain = (args = {}) => new Keychain({ ...args })
+const createKeychain = (args = Object.create(null)) => new Keychain({ ...args })
 
 // eslint-disable-next-line @exodus/export-default/named
 export default {

diff --git a/features/keychain/module/memoized-keychain.js b/features/keychain/module/memoized-keychain.js
@@ -12,14 +12,14 @@ const getPublicKeyData = ({ xpub, publicKey }) => ({ xpub, publicKey })
 
 class MemoizedKeychain extends Keychain {
   #storage
-  #publicKeys = {}
+  #publicKeys = Object.create(null)
   #cloneOpts
   constructor({ storage, logger }) {
     super({ id: MODULE_ID, logger })
 
     this.#storage = storage
     this.#storage.get(CACHE_KEY).then((data) => {
-      this.#publicKeys = data ? BJSON.parse(data) : {}
+      this.#publicKeys = data ? BJSON.parse(data) : Object.create(null)
     })
 
     this.#cloneOpts = { storage, logger }