Experiment/trezor#824
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
…ezor.io Per PR #824 review: EVM chain methods must not silently reach a third-party network. Remove every internal globalThis.fetch to data.trezor.io: - evmGetAddress/evmSignMessage/evmSignTypedData: resolveEvmDefinitions no longer downloads a network definition; it only forwards caller-provided ethereumDefinitions (now synchronous). - evmSignTransaction: drop the definition preload before EthereumSignTx. - processDefinitionRequest: ack a device-driven EthereumDefinitionRequest with empty definitions instead of fetching, so signing still completes (device falls back to a generic confirmation screen). Definitions stay fully supported via caller injection: the exported ./ethereumDefinitions helpers (fetchEthereumDefinitions / buildEthereumDefinitions*) let callers fetch through their own controlled channel and pass the result in. Rewrite the 5 EVM definition tests to assert no fetch + caller-injected only.
…a.trezor.io Per PR #824 review (same as the EVM fix): solSignTransaction no longer downloads a token definition from data.trezor.io when the caller passes tokenAccountsInfos without encodedToken. Token definitions are caller-injected only — when omitted the device shows a generic token confirmation screen. Remove fetchSolanaTokenDefinition + its base URL; update the two Solana tests.
Move the Ethereum definition helpers out of hwk-trezor-connector (a package the app only depends on transitively) into hwk-trezor-adapter (a direct dependency), and add a matching Solana helper, so the app can import and drive them: - hwk-trezor-adapter now exports fetchEthereumDefinitions / buildEthereumDefinitionsForPath / buildEthereumDefinitionsForSignTx / getSlip44FromPath and fetchSolanaTokenDefinition (+ their types). - Add a baseUrl option to all of them (default data.trezor.io) so callers can route through their own controlled proxy — a serializable string, unlike fetchImpl which is a function and must not cross an IPC boundary. - Remove the helpers + their re-exports from hwk-trezor-connector; the signing path already doesn't use them (PR #824). Migrate the tests into the adapter and add baseUrl + Solana coverage. These are opt-in utilities — no signing/address method calls them. Callers fetch (in a network-capable process) and pass only the resulting bytes into the sign params (ethereumDefinitions / additionalInfo.encodedToken).
…ezor.io Per PR #824 review: EVM chain methods must not silently reach a third-party network. Remove every internal globalThis.fetch to data.trezor.io: - evmGetAddress/evmSignMessage/evmSignTypedData: resolveEvmDefinitions no longer downloads a network definition; it only forwards caller-provided ethereumDefinitions (now synchronous). - evmSignTransaction: drop the definition preload before EthereumSignTx. - processDefinitionRequest: ack a device-driven EthereumDefinitionRequest with empty definitions instead of fetching, so signing still completes (device falls back to a generic confirmation screen). Definitions stay fully supported via caller injection: the exported ./ethereumDefinitions helpers (fetchEthereumDefinitions / buildEthereumDefinitions*) let callers fetch through their own controlled channel and pass the result in. Rewrite the 5 EVM definition tests to assert no fetch + caller-injected only.
2386aa4 to
1cfb6a0
Compare
…a.trezor.io Per PR #824 review (same as the EVM fix): solSignTransaction no longer downloads a token definition from data.trezor.io when the caller passes tokenAccountsInfos without encodedToken. Token definitions are caller-injected only — when omitted the device shows a generic token confirmation screen. Remove fetchSolanaTokenDefinition + its base URL; update the two Solana tests.
Move the Ethereum definition helpers out of hwk-trezor-connector (a package the app only depends on transitively) into hwk-trezor-adapter (a direct dependency), and add a matching Solana helper, so the app can import and drive them: - hwk-trezor-adapter now exports fetchEthereumDefinitions / buildEthereumDefinitionsForPath / buildEthereumDefinitionsForSignTx / getSlip44FromPath and fetchSolanaTokenDefinition (+ their types). - Add a baseUrl option to all of them (default data.trezor.io) so callers can route through their own controlled proxy — a serializable string, unlike fetchImpl which is a function and must not cross an IPC boundary. - Remove the helpers + their re-exports from hwk-trezor-connector; the signing path already doesn't use them (PR #824). Migrate the tests into the adapter and add baseUrl + Solana coverage. These are opt-in utilities — no signing/address method calls them. Callers fetch (in a network-capable process) and pass only the resulting bytes into the sign params (ethereumDefinitions / additionalInfo.encodedToken).
…ezor.io Per PR #824 review: EVM chain methods must not silently reach a third-party network. Remove every internal globalThis.fetch to data.trezor.io: - evmGetAddress/evmSignMessage/evmSignTypedData: resolveEvmDefinitions no longer downloads a network definition; it only forwards caller-provided ethereumDefinitions (now synchronous). - evmSignTransaction: drop the definition preload before EthereumSignTx. - processDefinitionRequest: ack a device-driven EthereumDefinitionRequest with empty definitions instead of fetching, so signing still completes (device falls back to a generic confirmation screen). Definitions stay fully supported via caller injection: the exported ./ethereumDefinitions helpers (fetchEthereumDefinitions / buildEthereumDefinitions*) let callers fetch through their own controlled channel and pass the result in. Rewrite the 5 EVM definition tests to assert no fetch + caller-injected only.
…a.trezor.io Per PR #824 review (same as the EVM fix): solSignTransaction no longer downloads a token definition from data.trezor.io when the caller passes tokenAccountsInfos without encodedToken. Token definitions are caller-injected only — when omitted the device shows a generic token confirmation screen. Remove fetchSolanaTokenDefinition + its base URL; update the two Solana tests.
Move the Ethereum definition helpers out of hwk-trezor-connector (a package the app only depends on transitively) into hwk-trezor-adapter (a direct dependency), and add a matching Solana helper, so the app can import and drive them: - hwk-trezor-adapter now exports fetchEthereumDefinitions / buildEthereumDefinitionsForPath / buildEthereumDefinitionsForSignTx / getSlip44FromPath and fetchSolanaTokenDefinition (+ their types). - Add a baseUrl option to all of them (default data.trezor.io) so callers can route through their own controlled proxy — a serializable string, unlike fetchImpl which is a function and must not cross an IPC boundary. - Remove the helpers + their re-exports from hwk-trezor-connector; the signing path already doesn't use them (PR #824). Migrate the tests into the adapter and add baseUrl + Solana coverage. These are opt-in utilities — no signing/address method calls them. Callers fetch (in a network-capable process) and pass only the resulting bytes into the sign params (ethereumDefinitions / additionalInfo.encodedToken).
c278843 to
546c2b7
Compare
0eecbb6 to
0592166
Compare
| requiresWalletIntent: boolean | ||
| ): Promise<Response<T>> { | ||
| const call = TrezorAdapter._normalizeCallArgs(connectId, deviceId, params); | ||
| debugLog('[TrezorAdapter][REQ]', { |
There was a problem hiding this comment.
这里每次调用前都会把 call.params 打进公共 onSdkEvent 日志。触发条件就是正常调用 btcSignMessage、evmSignTypedData、signTx 之类的钱包方法;当前 _sanitizeForLog() 只屏蔽了 passphrase、pin、credential 等少数字段,消息正文、地址、公钥、typed-data、交易 payload 和返回签名结果都会继续被串成字符串发给宿主 listener。
结果是只要接了这个调试 API,正常签名数据就会落到 IPC、控制台或埋点系统里,不是仅限异常路径。这里需要把 payload 级日志收紧成 allowlist 摘要,至少不要再输出完整 params / response.payload。
| chainId, | ||
| slip44, | ||
| contractAddress, | ||
| baseUrl = DEFAULT_ETHEREUM_DEFINITIONS_BASE_URL, |
There was a problem hiding this comment.
这里把 baseUrl 直接作为 public fetch helper 的下载入口,默认还会直连 https://data.trezor.io。触发条件是宿主调用 definitions helper,或者把 baseUrl 做成配置项;一旦这样接入,SDK 就会新增一条不经过仓库现有白名单层的外联请求。
更危险的是,下面的 contractAddress(以及 Solana helper 里的 tokenMint)会被直接拼进 URL path,没有 host allowlist、没有 path 编码,也没有严格格式校验。结果就是上层参数可以把这个 helper 变成任意主机 / 任意路径的下载器,而不是受控的 definitions 获取能力。
这里需要把 definitions 下载收回到现有受控网络层,至少先限制 host 白名单,再对动态 path 片段做严格校验和编码。
| ); | ||
| const hasSerialNumber = typeof dev.serialNumber === 'string' && dev.serialNumber.length > 0; | ||
| return isOneKey && hasSerialNumber; | ||
| return isOneKey && hasSerialNumber && !isKnownTrezorWebUsbDevice(dev); |
There was a problem hiding this comment.
这里的新过滤只覆盖 getDevices() 枚举分支。触发条件是用户第一次在 WebUSB chooser 里选择一台共享 VID/PID 的 Trezor:上面的 promptDeviceAccess() 仍然只用 ONEKEY_WEBUSB_FILTER 直接拿回设备,而 PromptWebDeviceAccess 会把这个 USBDevice 原样塞给 DevicePool.getDevices() 走 OneKey 初始化。
结果是 Trezor 仍然能从授权/连接路径进入 OneKey transport,直到后面的协议初始化才失败,所以共存策略在首次授权路径上还是 fail-open。这里需要在 requestDevice() 返回后复用同一套品牌校验,不能只在 getDevices() 枚举分支过滤。
No description provided.