Skip to content

Experiment/trezor#824

Merged
ByteZhang1024 merged 1 commit into
onekeyfrom
experiment/trezor
Jul 10, 2026
Merged

Experiment/trezor#824
ByteZhang1024 merged 1 commit into
onekeyfrom
experiment/trezor

Conversation

@ByteZhang1024

Copy link
Copy Markdown
Contributor

No description provided.

@revan-zhang

revan-zhang commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Comment thread packages/hwk-trezor-utils/src/extractUrlsFromText.ts Dismissed
Comment thread packages/hwk-trezor-utils/src/sanitizeFilename.ts Dismissed
@socket-security

socket-security Bot commented Jun 15, 2026

Copy link
Copy Markdown

Comment thread packages/hwk-trezor-connector/src/chains/ethereumDefinitions.ts Outdated
Comment thread packages/hwk-trezor-connector/src/chains/sol.ts Outdated
Comment thread packages/hwk-trezor-transport/src/sessions/background-browser.ts
Comment thread packages/hwk-trezor-transport/src/sessions/background.ts
ByteZhang1024 added a commit that referenced this pull request Jul 1, 2026
…ezor.io

Per PR #824 review: EVM chain methods must not silently reach a third-party
network. Remove every internal globalThis.fetch to data.trezor.io:
- evmGetAddress/evmSignMessage/evmSignTypedData: resolveEvmDefinitions no
  longer downloads a network definition; it only forwards caller-provided
  ethereumDefinitions (now synchronous).
- evmSignTransaction: drop the definition preload before EthereumSignTx.
- processDefinitionRequest: ack a device-driven EthereumDefinitionRequest with
  empty definitions instead of fetching, so signing still completes (device
  falls back to a generic confirmation screen).

Definitions stay fully supported via caller injection: the exported
./ethereumDefinitions helpers (fetchEthereumDefinitions / buildEthereumDefinitions*)
let callers fetch through their own controlled channel and pass the result in.
Rewrite the 5 EVM definition tests to assert no fetch + caller-injected only.
ByteZhang1024 added a commit that referenced this pull request Jul 1, 2026
…a.trezor.io

Per PR #824 review (same as the EVM fix): solSignTransaction no longer
downloads a token definition from data.trezor.io when the caller passes
tokenAccountsInfos without encodedToken. Token definitions are caller-injected
only — when omitted the device shows a generic token confirmation screen.
Remove fetchSolanaTokenDefinition + its base URL; update the two Solana tests.
ByteZhang1024 added a commit that referenced this pull request Jul 1, 2026
Move the Ethereum definition helpers out of hwk-trezor-connector (a package the
app only depends on transitively) into hwk-trezor-adapter (a direct dependency),
and add a matching Solana helper, so the app can import and drive them:

- hwk-trezor-adapter now exports fetchEthereumDefinitions /
  buildEthereumDefinitionsForPath / buildEthereumDefinitionsForSignTx /
  getSlip44FromPath and fetchSolanaTokenDefinition (+ their types).
- Add a baseUrl option to all of them (default data.trezor.io) so callers can
  route through their own controlled proxy — a serializable string, unlike
  fetchImpl which is a function and must not cross an IPC boundary.
- Remove the helpers + their re-exports from hwk-trezor-connector; the signing
  path already doesn't use them (PR #824). Migrate the tests into the adapter
  and add baseUrl + Solana coverage.

These are opt-in utilities — no signing/address method calls them. Callers fetch
(in a network-capable process) and pass only the resulting bytes into the sign
params (ethereumDefinitions / additionalInfo.encodedToken).
ByteZhang1024 added a commit that referenced this pull request Jul 1, 2026
…ezor.io

Per PR #824 review: EVM chain methods must not silently reach a third-party
network. Remove every internal globalThis.fetch to data.trezor.io:
- evmGetAddress/evmSignMessage/evmSignTypedData: resolveEvmDefinitions no
  longer downloads a network definition; it only forwards caller-provided
  ethereumDefinitions (now synchronous).
- evmSignTransaction: drop the definition preload before EthereumSignTx.
- processDefinitionRequest: ack a device-driven EthereumDefinitionRequest with
  empty definitions instead of fetching, so signing still completes (device
  falls back to a generic confirmation screen).

Definitions stay fully supported via caller injection: the exported
./ethereumDefinitions helpers (fetchEthereumDefinitions / buildEthereumDefinitions*)
let callers fetch through their own controlled channel and pass the result in.
Rewrite the 5 EVM definition tests to assert no fetch + caller-injected only.
ByteZhang1024 added a commit that referenced this pull request Jul 1, 2026
…a.trezor.io

Per PR #824 review (same as the EVM fix): solSignTransaction no longer
downloads a token definition from data.trezor.io when the caller passes
tokenAccountsInfos without encodedToken. Token definitions are caller-injected
only — when omitted the device shows a generic token confirmation screen.
Remove fetchSolanaTokenDefinition + its base URL; update the two Solana tests.
ByteZhang1024 added a commit that referenced this pull request Jul 1, 2026
Move the Ethereum definition helpers out of hwk-trezor-connector (a package the
app only depends on transitively) into hwk-trezor-adapter (a direct dependency),
and add a matching Solana helper, so the app can import and drive them:

- hwk-trezor-adapter now exports fetchEthereumDefinitions /
  buildEthereumDefinitionsForPath / buildEthereumDefinitionsForSignTx /
  getSlip44FromPath and fetchSolanaTokenDefinition (+ their types).
- Add a baseUrl option to all of them (default data.trezor.io) so callers can
  route through their own controlled proxy — a serializable string, unlike
  fetchImpl which is a function and must not cross an IPC boundary.
- Remove the helpers + their re-exports from hwk-trezor-connector; the signing
  path already doesn't use them (PR #824). Migrate the tests into the adapter
  and add baseUrl + Solana coverage.

These are opt-in utilities — no signing/address method calls them. Callers fetch
(in a network-capable process) and pass only the resulting bytes into the sign
params (ethereumDefinitions / additionalInfo.encodedToken).
Comment thread packages/hwk-trezor-adapter/src/utils/ethereumDefinitions.ts
Comment thread packages/hwk-trezor-adapter/src/utils/solanaTokenDefinition.ts
Comment thread packages/hwk-trezor-transport/src/transports/webusb.browser.ts
Comment thread packages/hwk-trezor-transport/src/sessions/background-browser.ts
Comment thread packages/hwk-trezor-transport/src/sessions/background.ts
Comment thread packages/hwk-trezor-adapter/src/utils/ethereumDefinitions.ts
Comment thread packages/hwk-trezor-transport/src/sessions/background-browser.ts
Comment thread packages/hwk-trezor-transport/src/sessions/background.ts
Comment thread packages/hwk-trezor-adapter/src/utils/ethereumDefinitions.ts
Comment thread packages/hwk-trezor-connector/src/chains/evm.ts
Comment thread packages/hwk-trezor-connector/src/index.ts
Comment thread packages/hwk-trezor-adapter/src/utils/ethereumDefinitions.ts
Comment thread packages/hwk-trezor-connector/src/chains/evm.ts
Comment thread packages/hwk-trezor-connector/src/index.ts
ByteZhang1024 added a commit that referenced this pull request Jul 6, 2026
…ezor.io

Per PR #824 review: EVM chain methods must not silently reach a third-party
network. Remove every internal globalThis.fetch to data.trezor.io:
- evmGetAddress/evmSignMessage/evmSignTypedData: resolveEvmDefinitions no
  longer downloads a network definition; it only forwards caller-provided
  ethereumDefinitions (now synchronous).
- evmSignTransaction: drop the definition preload before EthereumSignTx.
- processDefinitionRequest: ack a device-driven EthereumDefinitionRequest with
  empty definitions instead of fetching, so signing still completes (device
  falls back to a generic confirmation screen).

Definitions stay fully supported via caller injection: the exported
./ethereumDefinitions helpers (fetchEthereumDefinitions / buildEthereumDefinitions*)
let callers fetch through their own controlled channel and pass the result in.
Rewrite the 5 EVM definition tests to assert no fetch + caller-injected only.
ByteZhang1024 added a commit that referenced this pull request Jul 6, 2026
…a.trezor.io

Per PR #824 review (same as the EVM fix): solSignTransaction no longer
downloads a token definition from data.trezor.io when the caller passes
tokenAccountsInfos without encodedToken. Token definitions are caller-injected
only — when omitted the device shows a generic token confirmation screen.
Remove fetchSolanaTokenDefinition + its base URL; update the two Solana tests.
ByteZhang1024 added a commit that referenced this pull request Jul 6, 2026
Move the Ethereum definition helpers out of hwk-trezor-connector (a package the
app only depends on transitively) into hwk-trezor-adapter (a direct dependency),
and add a matching Solana helper, so the app can import and drive them:

- hwk-trezor-adapter now exports fetchEthereumDefinitions /
  buildEthereumDefinitionsForPath / buildEthereumDefinitionsForSignTx /
  getSlip44FromPath and fetchSolanaTokenDefinition (+ their types).
- Add a baseUrl option to all of them (default data.trezor.io) so callers can
  route through their own controlled proxy — a serializable string, unlike
  fetchImpl which is a function and must not cross an IPC boundary.
- Remove the helpers + their re-exports from hwk-trezor-connector; the signing
  path already doesn't use them (PR #824). Migrate the tests into the adapter
  and add baseUrl + Solana coverage.

These are opt-in utilities — no signing/address method calls them. Callers fetch
(in a network-capable process) and pass only the resulting bytes into the sign
params (ethereumDefinitions / additionalInfo.encodedToken).
Comment thread packages/hwk-trezor-adapter/src/utils/ethereumDefinitions.ts
Comment thread packages/hwk-trezor-connector/src/chains/evm.ts
Comment thread packages/hwk-trezor-connector/src/index.ts
Comment thread packages/hwk-trezor-adapter/src/utils/ethereumDefinitions.ts
Comment thread packages/hwk-trezor-adapter/src/utils/ethereumDefinitions.ts
Comment thread packages/hwk-trezor-adapter/src/adapter/TrezorAdapter.ts
Comment thread packages/hwk-trezor-adapter/src/utils/ethereumDefinitions.ts
Comment thread packages/shared/src/constants.ts
@ByteZhang1024 ByteZhang1024 merged commit 2787f01 into onekey Jul 10, 2026
9 checks passed
@ByteZhang1024 ByteZhang1024 deleted the experiment/trezor branch July 10, 2026 08:06
requiresWalletIntent: boolean
): Promise<Response<T>> {
const call = TrezorAdapter._normalizeCallArgs(connectId, deviceId, params);
debugLog('[TrezorAdapter][REQ]', {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这里每次调用前都会把 call.params 打进公共 onSdkEvent 日志。触发条件就是正常调用 btcSignMessageevmSignTypedDatasignTx 之类的钱包方法;当前 _sanitizeForLog() 只屏蔽了 passphrasepincredential 等少数字段,消息正文、地址、公钥、typed-data、交易 payload 和返回签名结果都会继续被串成字符串发给宿主 listener。

结果是只要接了这个调试 API,正常签名数据就会落到 IPC、控制台或埋点系统里,不是仅限异常路径。这里需要把 payload 级日志收紧成 allowlist 摘要,至少不要再输出完整 params / response.payload

chainId,
slip44,
contractAddress,
baseUrl = DEFAULT_ETHEREUM_DEFINITIONS_BASE_URL,

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这里把 baseUrl 直接作为 public fetch helper 的下载入口,默认还会直连 https://data.trezor.io。触发条件是宿主调用 definitions helper,或者把 baseUrl 做成配置项;一旦这样接入,SDK 就会新增一条不经过仓库现有白名单层的外联请求。

更危险的是,下面的 contractAddress(以及 Solana helper 里的 tokenMint)会被直接拼进 URL path,没有 host allowlist、没有 path 编码,也没有严格格式校验。结果就是上层参数可以把这个 helper 变成任意主机 / 任意路径的下载器,而不是受控的 definitions 获取能力。

这里需要把 definitions 下载收回到现有受控网络层,至少先限制 host 白名单,再对动态 path 片段做严格校验和编码。

);
const hasSerialNumber = typeof dev.serialNumber === 'string' && dev.serialNumber.length > 0;
return isOneKey && hasSerialNumber;
return isOneKey && hasSerialNumber && !isKnownTrezorWebUsbDevice(dev);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

这里的新过滤只覆盖 getDevices() 枚举分支。触发条件是用户第一次在 WebUSB chooser 里选择一台共享 VID/PID 的 Trezor:上面的 promptDeviceAccess() 仍然只用 ONEKEY_WEBUSB_FILTER 直接拿回设备,而 PromptWebDeviceAccess 会把这个 USBDevice 原样塞给 DevicePool.getDevices() 走 OneKey 初始化。

结果是 Trezor 仍然能从授权/连接路径进入 OneKey transport,直到后面的协议初始化才失败,所以共存策略在首次授权路径上还是 fail-open。这里需要在 requestDevice() 返回后复用同一套品牌校验,不能只在 getDevices() 枚举分支过滤。

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants