sneak/AutistMask
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

security: fix high-severity findings from audit (closes #6) #7

Merged
sneak merged 8 commits from fix/high-severity-security into main 2026-02-27 20:56:43 +01:00
Conversation 1 Commits 8 Files Changed 6 +14 -2
2 changed files with 14 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit f13cd0fd47 - Show all commits

14
src/background/index.js
View File

@@ -714,7 +714,8 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
if (wallet) break; if (wallet) break;
} }
if (!wallet) throw new Error("Wallet not found"); if (!wallet) throw new Error("Wallet not found");
const decrypted = await decryptWithPassword( // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
let decrypted = await decryptWithPassword(
wallet.encryptedSecret, wallet.encryptedSecret,
msg.password, msg.password,
); );
@@ -723,6 +724,10 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
addrIndex, addrIndex,
decrypted, decrypted,
); );
// Best-effort: clear decrypted secret after use.
// Note: JS strings are immutable; this nulls the reference but
// the original string may persist in memory until GC.
decrypted = null;
const provider = getProvider(state.rpcUrl); const provider = getProvider(state.rpcUrl);
const connected = signer.connect(provider); const connected = signer.connect(provider);
const tx = await connected.sendTransaction(approval.txParams); const tx = await connected.sendTransaction(approval.txParams);
@@ -768,7 +773,8 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
if (wallet) break; if (wallet) break;
} }
if (!wallet) throw new Error("Wallet not found"); if (!wallet) throw new Error("Wallet not found");
const decrypted = await decryptWithPassword( // TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
let decrypted = await decryptWithPassword(
wallet.encryptedSecret, wallet.encryptedSecret,
msg.password, msg.password,
); );
@@ -777,6 +783,10 @@ runtime.onMessage.addListener((msg, sender, sendResponse) => {
addrIndex, addrIndex,
decrypted, decrypted,
); );
// Best-effort: clear decrypted secret after use.
// Note: JS strings are immutable; this nulls the reference but
// the original string may persist in memory until GC.
decrypted = null;
const sp = approval.signParams; const sp = approval.signParams;
let signature; let signature;

2
src/popup/views/approval.js
View File

@@ -385,6 +385,7 @@ function init(ctx) {
type: "AUTISTMASK_TX_RESPONSE", type: "AUTISTMASK_TX_RESPONSE",
id: approvalId, id: approvalId,
approved: true, approved: true,
// TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
password: password, password: password,
}, },
(response) => { (response) => {
@@ -424,6 +425,7 @@ function init(ctx) {
type: "AUTISTMASK_SIGN_RESPONSE", type: "AUTISTMASK_SIGN_RESPONSE",
id: approvalId, id: approvalId,
approved: true, approved: true,
// TODO(security): Move decryption to popup to avoid sending password via runtime.sendMessage
password: password, password: password,
}, },
(response) => { (response) => {