Git Product home page Git Product logo

mdl's Introduction

MDLlife

MDL Blog

mdl's People

Contributors

dmitrybugrov avatar gz-c avatar hanyh2004 avatar iketheadore avatar ivensfernando avatar karlob avatar ljesparis avatar logrusorgru avatar mahansky avatar mdlwtf avatar montycrypto avatar morphium avatar nakulpandey avatar olemis avatar polarislee1984 avatar samuelvisscher avatar senyoret1 avatar skycoin-main avatar spurserh avatar stdevedu avatar stdevmauricio avatar stdevnorge avatar stdevstark avatar stgleb avatar therealssj avatar thomasmodeneis avatar vavilen avatar zgordan-vv avatar zhiyuan2007 avatar zsm5j avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar

Forkers

dan-leech vitiv tonamoha ivensfernando jmgsounds ness-network

mdl's Issues

test failing for droplet_test after refactor breaks travis build

https://travis-ci.org/MDLlife/MDL/jobs/349165205


--- FAIL: TestFromString (0.00s)
    --- FAIL: TestFromString/MDL (0.00s)
	Error Trace:	droplet_test.go:124
	Error:      	Not equal: 
	            	expected: &errors.errorString{s:"can't convert 100MDL to decimal"}
	            	actual: &errors.errorString{s:"can't convert MDL to decimal"}
	            	
	            	Diff:
	            	--- Expected
	            	+++ Actual
	            	@@ -1,2 +1,2 @@
	            	-(*errors.errorString)(can't convert 100MDL to decimal)
	            	+(*errors.errorString)(can't convert MDL to decimal)
	            	 
FAIL
FAIL	github.com/MDLlife/MDL/src/util/droplet	0.006s

0 value of transaction instead of its real value in UI

In transaction explorer I see a transactions list. Some of them have 0 value. I know in our case we don't have real 0 value transactions. I think the number is just renders incorrectly. E.g. if you open transaction details you may notice there are actual values transferred (in Outputs section).

image

Potential command injection

Probably not a lot of risk here since it looks like the data is currently coming from a config file, but still a good idea to sanitize host before passing it on through the application.

cmd/mdl/mdl.go

// Run starts the mdl node
func Run(c *Config) {
[........]
	host := fmt.Sprintf("%s:%d", c.WebInterfaceAddr, c.WebInterfacePort)
	fullAddress := fmt.Sprintf("%s://%s", scheme, host)
[........]
if c.LaunchBrowser {
			wg.Add(1)
			go func() {
				defer wg.Done()

				// Wait a moment just to make sure the http interface is up
				time.Sleep(time.Millisecond * 100)

				logger.Info("Launching System Browser with %s", fullAddress)
				if err := browser.Open(fullAddress); err != nil { // HERE
					logger.Error(err.Error())
					return
				}

browser.Open() basically maps to https://github.com/toqueteos/webbrowser/blob/master/webbrowser.go where it doesn't ensure that params passed to it only contain host-looking characters, eg. alphanumeric only. It just executes them as a command where special characters could be injected and execute arbitrary commands.

func (b browserCommand) Command(s string) (*exec.Cmd, error) {
	u, err := url.Parse(s)
	if err != nil {
		return nil, err
	}

	validUrl := ensureValidURL(u)

	b.args = append(b.args, validUrl)

	return exec.Command(b.cmd, b.args...), nil
}

Easiest solution here is just sanitize host and strip all non-alphanumeric (maybe allow -'s though) characters from it before passing it on to be used in the application.

References:
https://www.owasp.org/index.php/Data_Validation#Sanitize_with_Whitelist

Lock down log file

cmd/mdl/mdl.go

// init logging settings
func initLogging(dataDir string, level string, color, logtofile bool) (func(), error) {
[.......]
		// open log file
		tf := "2006-01-02-030405"
		logfile := filepath.Join(logDir,
			fmt.Sprintf("%s-v%s.log", time.Now().Format(tf), Version))
		var err error
		fd, err = os.OpenFile(logfile, os.O_RDWR|os.O_CREATE, 0666) // HERE

The permissions should be ideally 0600 (owner r/w) or 0640 (owner r/w, group read) max, otherwise the file is open to everyone to read and write to it which is not great from a security point of view.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.