chore(audit)_: Added fail conditions for malformed string ints

resolves status-im/least-authority-audit#13
status-im · Feb 5, 2025 · 37cf705 · 37cf705
1 parent 0526d18
commit 37cf705
Show file tree

Hide file tree

Showing 6 changed files with 44 additions and 14 deletions.
diff --git a/common/errors.go b/common/errors.go
@@ -0,0 +1,7 @@
+package common
+
+import "fmt"
+
+var (
+	ErrBigIntSetFromString = func(val string) error { return fmt.Errorf("failed to set big.Int balance from string '%s'", val) }
+)
diff --git a/protocol/identity/utils.go b/protocol/identity/utils.go
@@ -37,7 +37,7 @@ func toBigBaseImpl(value *big.Int, base uint64, res *[](uint64)) {
 	*res = append(*res, new(big.Int).Mod(value, bigBase).Uint64())
 }
 
-// compressedPubKey = |1.5 bytes chars cutoff|20 bytes emoji hash|10 bytes color hash|1.5 bytes chars cutoff|
+// Slices compressedPubKey = |1.5 bytes chars cutoff|20 bytes emoji hash|10 bytes color hash|1.5 bytes chars cutoff|
 func Slices(compressedPubkey []byte) (res [4][]byte, err error) {
 	if len(compressedPubkey) != 33 {
 		return res, errors.New("incorrect compressed pubkey")

diff --git a/services/wallet/activity/details.go b/services/wallet/activity/details.go
@@ -13,6 +13,7 @@ import (
 	eth "github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/common/hexutil"
 	"github.com/ethereum/go-ethereum/core/types"
+	statuscommon "github.com/status-im/status-go/common"
 	"github.com/status-im/status-go/services/wallet/common"
 	"github.com/status-im/status-go/sqlite"
 )
@@ -130,8 +131,11 @@ func getMultiTxDetails(ctx context.Context, db *sql.DB, multiTxID int) (*EntryDe
 			maxFeePerGas = (*hexutil.Big)(tx.GasFeeCap())
 			gasLimit = tx.Gas()
 			if baseGasFees != nil {
-				baseGasFees, _ := new(big.Int).SetString(*baseGasFees, 0)
-				totalFees = (*hexutil.Big)(getTotalFees(tx, baseGasFees))
+				baseGasFeesInt, ok := new(big.Int).SetString(*baseGasFees, 0)
+				if !ok {
+					return nil, statuscommon.ErrBigIntSetFromString(*baseGasFees)
+				}
+				totalFees = (*hexutil.Big)(getTotalFees(tx, baseGasFeesInt))
 			}
 		}
 	}
@@ -214,8 +218,11 @@ func getTxDetails(ctx context.Context, db *sql.DB, id string) (*EntryDetails, er
 		details.Input = "0x" + hex.EncodeToString(tx.Data())
 		details.MaxFeePerGas = (*hexutil.Big)(tx.GasFeeCap())
 		details.GasLimit = tx.Gas()
-		baseGasFees, _ := new(big.Int).SetString(baseGasFees, 0)
-		details.TotalFees = (*hexutil.Big)(getTotalFees(tx, baseGasFees))
+		baseGasFeesInt, ok := new(big.Int).SetString(baseGasFees, 0)
+		if !ok {
+			return nil, statuscommon.ErrBigIntSetFromString(baseGasFees)
+		}
+		details.TotalFees = (*hexutil.Big)(getTotalFees(tx, baseGasFeesInt))
 	}
 
 	return details, nil

diff --git a/services/wallet/reader.go b/services/wallet/reader.go
@@ -317,7 +317,7 @@ func (r *Reader) isBalanceUpdateNeededAnyway(clients map[uint64]chain.ClientInte
 	return updateAnyway
 }
 
-func tokensToBalancesPerChain(cachedTokens map[common.Address][]token.StorageToken) map[uint64]map[common.Address]map[common.Address]*hexutil.Big {
+func tokensToBalancesPerChain(cachedTokens map[common.Address][]token.StorageToken) (map[uint64]map[common.Address]map[common.Address]*hexutil.Big, error) {
 	cachedBalancesPerChain := map[uint64]map[common.Address]map[common.Address]*hexutil.Big{}
 	for address, tokens := range cachedTokens {
 		for _, token := range tokens {
@@ -329,13 +329,16 @@ func tokensToBalancesPerChain(cachedTokens map[common.Address][]token.StorageTok
 					cachedBalancesPerChain[balance.ChainID][address] = map[common.Address]*hexutil.Big{}
 				}
 
-				bigBalance, _ := new(big.Int).SetString(balance.RawBalance, 10)
+				bigBalance, ok := new(big.Int).SetString(balance.RawBalance, 10)
+				if !ok {
+					return nil, gocommon.ErrBigIntSetFromString(balance.RawBalance)
+				}
 				cachedBalancesPerChain[balance.ChainID][address][balance.Address] = (*hexutil.Big)(bigBalance)
 			}
 		}
 	}
 
-	return cachedBalancesPerChain
+	return cachedBalancesPerChain, nil
 }
 
 func (r *Reader) fetchBalances(ctx context.Context, clients map[uint64]chain.ClientInterface, addresses []common.Address, tokenAddresses []common.Address) (map[uint64]map[common.Address]map[common.Address]*hexutil.Big, error) {
@@ -566,6 +569,10 @@ func (r *Reader) GetCachedBalances(clients map[uint64]chain.ClientInterface, add
 		connectedPerChain[chainID] = client.IsConnected()
 	}
 
-	balances := tokensToBalancesPerChain(cachedTokens)
+	balances, err := tokensToBalancesPerChain(cachedTokens)
+	if err != nil {
+		return nil, err
+	}
+
 	return r.balancesToTokensByAddress(connectedPerChain, addresses, allTokens, balances, cachedTokens), nil
 }
diff --git a/services/wallet/router/fees/estimated_time.go b/services/wallet/router/fees/estimated_time.go
@@ -6,6 +6,8 @@ import (
 	"math/big"
 	"sort"
 	"strings"
+
+	"github.com/status-im/status-go/common"
 )
 
 const inclusionThreshold = 0.95
@@ -103,10 +105,13 @@ func (f *FeeManager) estimatedTime(feeHistory *FeeHistory, maxFeePerGas *big.Int
 }
 
 func (f *FeeManager) getFeeHistorySorted(feeHistory *FeeHistory) ([]*big.Int, error) {
-	fees := []*big.Int{}
+	var fees []*big.Int
 	for _, fee := range feeHistory.BaseFeePerGas {
 		i := new(big.Int)
-		i.SetString(strings.Replace(fee, "0x", "", 1), 16)
+		_, ok := i.SetString(strings.Replace(fee, "0x", "", 1), 16)
+		if !ok {
+			return nil, common.ErrBigIntSetFromString(fee)
+		}
 		fees = append(fees, i)
 	}
 

diff --git a/services/wallet/router/pathprocessor/processor_bridge_celar.go b/services/wallet/router/pathprocessor/processor_bridge_celar.go
@@ -17,12 +17,13 @@ import (
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/common/hexutil"
 	ethTypes "github.com/ethereum/go-ethereum/core/types"
+
 	"github.com/status-im/status-go/account"
+	statuscommon "github.com/status-im/status-go/common"
 	"github.com/status-im/status-go/contracts/celer"
 	"github.com/status-im/status-go/eth-node/types"
-	"github.com/status-im/status-go/rpc"
-
 	"github.com/status-im/status-go/params"
+	"github.com/status-im/status-go/rpc"
 	"github.com/status-im/status-go/services/utils"
 	walletCommon "github.com/status-im/status-go/services/wallet/common"
 	"github.com/status-im/status-go/services/wallet/router/pathprocessor/cbridge"
@@ -455,6 +456,9 @@ func (s *CelerBridgeProcessor) CalculateAmountOut(params ProcessorInputParams) (
 	if amt.Err != nil {
 		return nil, createBridgeCellerErrorResponse(err)
 	}
-	amountOut, _ := new(big.Int).SetString(amt.EqValueTokenAmt, 10)
+	amountOut, ok := new(big.Int).SetString(amt.EqValueTokenAmt, 10)
+	if !ok {
+		return nil, statuscommon.ErrBigIntSetFromString(amt.EqValueTokenAmt)
+	}
 	return amountOut, nil
 }