From b91b81f5c9967a2b09116ff3e340e17d2e6c4feb Mon Sep 17 00:00:00 2001 From: Pasha8914 Date: Tue, 7 Jun 2022 00:26:00 +1000 Subject: [PATCH 1/9] fix: audit --- components/Footer.vue | 16 ++++----- components/Job.vue | 7 +++- components/MetamaskNavbarIcon.vue | 4 ++- components/Navbar.vue | 7 +++- components/Notices.vue | 9 +++-- components/Tx.vue | 7 +++- components/governance/Proposal.vue | 2 +- .../governance/manage/tabs/DelegateTab.vue | 4 ++- .../governance/manage/tabs/UndelegateTab.vue | 4 ++- components/withdraw/Withdraw.vue | 4 +-- langs/en.json | 6 +++- layouts/default.vue | 4 +++ middleware/provider.js | 6 ++++ nuxt.config.js | 21 ++++++++++++ pages/compliance.vue | 4 +++ pages/index.vue | 33 ++++++++++++++----- plugins/detectIPFS.js | 17 ++++------ plugins/localStorage.js | 27 +++++++++------ store/metamask.js | 2 ++ store/relayer.js | 6 ++-- store/settings.js | 3 +- 21 files changed, 140 insertions(+), 53 deletions(-) diff --git a/components/Footer.vue b/components/Footer.vue index 1072fb7..e232c50 100644 --- a/components/Footer.vue +++ b/components/Footer.vue @@ -12,7 +12,7 @@ class="footer-address__value" target="_blank" :href="addressExplorerUrl(donationsAddress)" - rel="noreferrer" + rel="noopener noreferrer" >{{ donationsAddress }} @@ -31,7 +31,7 @@ type="is-icon" :href="duneLink" target="_blank" - rel="noreferrer" + rel="noopener noreferrer" icon-right="stats" >
diff --git a/components/Job.vue b/components/Job.vue index 3641553..d77466b 100644 --- a/components/Job.vue +++ b/components/Job.vue @@ -14,7 +14,12 @@

- + {{ job.txHash }}

diff --git a/components/MetamaskNavbarIcon.vue b/components/MetamaskNavbarIcon.vue index 74dbb2f..64e66e6 100644 --- a/components/MetamaskNavbarIcon.vue +++ b/components/MetamaskNavbarIcon.vue @@ -3,7 +3,9 @@ @@ -82,21 +98,20 @@ export default { }, created() { this.$store.dispatch('application/setNativeCurrency', { netId: this.netId }) - }, - mounted() { - if (this.$route.query.note) { - this.activeTab = 1 - } + this.checkIsTrustedUrl() }, methods: { ...mapActions('settings', ['disableNotification']), + checkIsTrustedUrl() { + const isIpfs = this.$isLoadedFromIPFS() + if (!isIpfs) { + this.disableNotification({ key: 'third' }) + } + }, onGetKey(fn) { this.getKeys = fn }, async tabChanged(tabIndex) { - if (!this.$route.query.note) { - this.$root.$emit('resetWithdraw') - } if (tabIndex === 1) { this.$store.dispatch('relayer/pickRandomRelayer', { type: 'tornado' }) diff --git a/plugins/detectIPFS.js b/plugins/detectIPFS.js index ecee982..0308a31 100644 --- a/plugins/detectIPFS.js +++ b/plugins/detectIPFS.js @@ -3,20 +3,17 @@ export default ({ store, isHMR, app }, inject) => { inject('isLoadedFromIPFS', main) } function main() { - const domainWhiteList = [ - 'tornado.cash', - 'localhost:3000', - 'stage.tornado.cash', - 'tornadocash.eth', + const whiteListedDomains = [ + // 'localhost:3000', 'tornadocash.eth.link', - 'tornadocash.eth.limo', - 'app.tornado.cash', - 'donotshare.tornado.cash' + 'tornadocash.eth.limo' ] - if (window.location.host.includes('tornadocash.netlify.app')) { + const NETLIFY_REGEXP = /https:\/\/deploy-preview-(\d+)--tornadocash\.netlify\.app/ + + if (NETLIFY_REGEXP.test(window.location.host)) { return false - } else if (!domainWhiteList.includes(window.location.host)) { + } else if (!whiteListedDomains.includes(window.location.host)) { console.warn('The page has been loaded from ipfs.io. LocalStorage is disabled') return true } diff --git a/plugins/localStorage.js b/plugins/localStorage.js index 47aeb41..1a5b2ca 100644 --- a/plugins/localStorage.js +++ b/plugins/localStorage.js @@ -21,16 +21,23 @@ export default ({ store, isHMR }) => { return } - const paths = ['metamask.netId', 'application.selectedStatistic', 'application.selectedInstance'] - if (!store.$isLoadedFromIPFS()) { - paths.push('txHashKeeper', 'settings', 'account', 'relayer.jobs', 'encryptedNote.ui') + const paths = [ + 'metamask.netId', + 'application.selectedStatistic', + 'application.selectedInstance', + 'txHashKeeper', + 'settings', + 'account', + 'relayer.jobs', + 'encryptedNote.ui' + ] + + migrate() + + createPersistedState({ + key: STORE_NAME, + paths + })(store) } - - migrate() - - createPersistedState({ - key: STORE_NAME, - paths - })(store) } diff --git a/store/metamask.js b/store/metamask.js index c03b1e8..c260e6a 100644 --- a/store/metamask.js +++ b/store/metamask.js @@ -82,6 +82,8 @@ const mutations = { }, SET_NET_ID(state, netId) { netId = parseInt(netId, 10) + window.localStorage.setItem('netId', netId) + state.netId = netId }, SET_RECONNECTING(state, bool) { diff --git a/store/relayer.js b/store/relayer.js index 7683834..7f1048f 100644 --- a/store/relayer.js +++ b/store/relayer.js @@ -337,13 +337,15 @@ export const actions = { async getCustomRelayerData({ rootState, state, getters, rootGetters, dispatch }, { url, name }) { const provider = getters.ethProvider.eth - if (!url.startsWith('https:') && !url.startsWith('http:')) { - if (url.includes('.onion')) { + const PROTOCOL_REGEXP = /^(http(s?))/ + if (!PROTOCOL_REGEXP.test(url)) { + if (url.endsWith('.onion')) { url = `http://${url}` } else { url = `https://${url}` } } + const urlParser = new URL(url) urlParser.href = url let ensName = name diff --git a/store/settings.js b/store/settings.js index 07bd48b..94ebe80 100644 --- a/store/settings.js +++ b/store/settings.js @@ -20,7 +20,8 @@ export const state = () => { ...rpcData, isActiveNotification: { first: true, - second: true + second: true, + third: true } } } From 28aaf17d87fcd93d72da3dadc04c7cbd04dd527c Mon Sep 17 00:00:00 2001 From: Pasha8914 Date: Tue, 7 Jun 2022 20:55:37 +1000 Subject: [PATCH 2/9] fix: remove comments --- nuxt.config.js | 13 ------------- plugins/detectIPFS.js | 6 +----- 2 files changed, 1 insertion(+), 18 deletions(-) diff --git a/nuxt.config.js b/nuxt.config.js index 5ca190c..e32f5ab 100644 --- a/nuxt.config.js +++ b/nuxt.config.js @@ -51,19 +51,6 @@ export default { 'http-equiv': 'Content-Security-Policy', content: '' }, - // move to req middlevare - // { - // 'http-equiv': 'Permissions-Policy', - // content: 'geolocation=()' - // }, - // { - // 'http-equiv': 'Strict-Transport-Security', - // content: 'max-age=31536000;' - // }, - // { - // 'http-equiv': 'X-Content-Type-Options', - // content: 'nosniff' - // }, { name: 'Referer-Policy', content: 'no-referrer' diff --git a/plugins/detectIPFS.js b/plugins/detectIPFS.js index 0308a31..bbd765f 100644 --- a/plugins/detectIPFS.js +++ b/plugins/detectIPFS.js @@ -3,11 +3,7 @@ export default ({ store, isHMR, app }, inject) => { inject('isLoadedFromIPFS', main) } function main() { - const whiteListedDomains = [ - // 'localhost:3000', - 'tornadocash.eth.link', - 'tornadocash.eth.limo' - ] + const whiteListedDomains = ['localhost:3000', 'tornadocash.eth.link', 'tornadocash.eth.limo'] const NETLIFY_REGEXP = /https:\/\/deploy-preview-(\d+)--tornadocash\.netlify\.app/ From 06214fc23a20216ad314235bcdd958211997c31a Mon Sep 17 00:00:00 2001 From: Pasha8914 Date: Wed, 8 Jun 2022 15:24:59 +1000 Subject: [PATCH 3/9] fix: inline script to file --- app.html | 30 ------------------------------ langs/en.json | 2 +- nuxt.config.js | 4 +++- static/headerScript.js | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 39 insertions(+), 32 deletions(-) create mode 100644 static/headerScript.js diff --git a/app.html b/app.html index f1c0947..3427d3e 100644 --- a/app.html +++ b/app.html @@ -1,36 +1,6 @@ - {{ HEAD }} diff --git a/langs/en.json b/langs/en.json index 06b28ce..3a8f444 100644 --- a/langs/en.json +++ b/langs/en.json @@ -454,7 +454,7 @@ }, "withdrawalQueueIsOverloaded": "Withdrawal queue is overloaded", "trustBanner": { - "trustLess": "You are using an public IPFS gateway. Tornado Cash dApp can not use all security features of your browser. Check out {link} for alternatives", + "trustLess": "You are using a public IPFS gateway. Tornado Cash dApp can not use all security features of your browser. Check out {link} for alternatives", "link": "landing page" } } diff --git a/nuxt.config.js b/nuxt.config.js index e32f5ab..81880fd 100644 --- a/nuxt.config.js +++ b/nuxt.config.js @@ -45,11 +45,13 @@ export default { }, head: { title: 'Tornado.cash', + script: [{ src: 'headerScript.js', async: false, defer: true }], meta: [ { charset: 'utf-8' }, { 'http-equiv': 'Content-Security-Policy', - content: '' + content: + "img-src 'self' data:;font-src data:;style-src 'self' 'unsafe-inline';connect-src *;script-src 'self' 'unsafe-eval' 'unsafe-inline';default-src 'self';object-src 'none';base-uri 'none';upgrade-insecure-requests" }, { name: 'Referer-Policy', diff --git a/static/headerScript.js b/static/headerScript.js new file mode 100644 index 0000000..a7feffb --- /dev/null +++ b/static/headerScript.js @@ -0,0 +1,35 @@ +const main = () => { + if (window.location.search) { + console.log('redirect') + window.location = window.location.origin + window.location.pathname + } + + function addScript(src) { + const s = document.createElement('script') + s.setAttribute('src', src) + document.body.appendChild(s) + } + + document.addEventListener('DOMContentLoaded', () => { + const ipfsPathRegExp = /^(\/(?:ipfs|ipns)\/[^/]+)/ + const ipfsPathPrefix = (window.location.pathname.match(ipfsPathRegExp) || [])[1] || '' + if (ipfsPathPrefix) { + const scripts = [...document.getElementsByTagName('script')] + + for (let i = 0; i < scripts.length; i++) { + if (scripts[i].src) { + const source = new URL(scripts[i].src) + if (!source.pathname.includes(ipfsPathPrefix)) { + console.log('Loading', source.pathname) + + const newSource = window.location.origin + ipfsPathPrefix + source.pathname + addScript(newSource) + } + } + } + console.log('Finished') + } + }) +} + +main() From 1fed9d5f5700e8d9d08f2331a9e5a9af35032ce6 Mon Sep 17 00:00:00 2001 From: Danil Kovtonyuk Date: Mon, 13 Jun 2022 17:55:05 +1000 Subject: [PATCH 4/9] fix: link --- components/EncryptedTx.vue | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/components/EncryptedTx.vue b/components/EncryptedTx.vue index 276ac43..9c3524b 100644 --- a/components/EncryptedTx.vue +++ b/components/EncryptedTx.vue @@ -30,7 +30,12 @@

- + {{ tx.txHash }}

From 083e92d1722da2cfcbd36d9085fb49973dcf5c44 Mon Sep 17 00:00:00 2001 From: Pasha8914 Date: Mon, 13 Jun 2022 17:58:18 +1000 Subject: [PATCH 5/9] remove index.html --- app.html | 9 --------- 1 file changed, 9 deletions(-) delete mode 100644 app.html diff --git a/app.html b/app.html deleted file mode 100644 index 3427d3e..0000000 --- a/app.html +++ /dev/null @@ -1,9 +0,0 @@ - - - - {{ HEAD }} - - - {{ APP }} - - From 7f287231420f1aa80936cd4a599e1a23a59225c7 Mon Sep 17 00:00:00 2001 From: Pasha8914 Date: Mon, 13 Jun 2022 20:49:00 +1000 Subject: [PATCH 6/9] return app.html --- app.html | 0 static/headerScript.js | 35 ----------------------------------- 2 files changed, 35 deletions(-) create mode 100644 app.html delete mode 100644 static/headerScript.js diff --git a/app.html b/app.html new file mode 100644 index 0000000..e69de29 diff --git a/static/headerScript.js b/static/headerScript.js deleted file mode 100644 index a7feffb..0000000 --- a/static/headerScript.js +++ /dev/null @@ -1,35 +0,0 @@ -const main = () => { - if (window.location.search) { - console.log('redirect') - window.location = window.location.origin + window.location.pathname - } - - function addScript(src) { - const s = document.createElement('script') - s.setAttribute('src', src) - document.body.appendChild(s) - } - - document.addEventListener('DOMContentLoaded', () => { - const ipfsPathRegExp = /^(\/(?:ipfs|ipns)\/[^/]+)/ - const ipfsPathPrefix = (window.location.pathname.match(ipfsPathRegExp) || [])[1] || '' - if (ipfsPathPrefix) { - const scripts = [...document.getElementsByTagName('script')] - - for (let i = 0; i < scripts.length; i++) { - if (scripts[i].src) { - const source = new URL(scripts[i].src) - if (!source.pathname.includes(ipfsPathPrefix)) { - console.log('Loading', source.pathname) - - const newSource = window.location.origin + ipfsPathPrefix + source.pathname - addScript(newSource) - } - } - } - console.log('Finished') - } - }) -} - -main() From ee1073ff07e30a49e37dd15875a3c706aa551678 Mon Sep 17 00:00:00 2001 From: Pasha8914 Date: Mon, 13 Jun 2022 20:49:07 +1000 Subject: [PATCH 7/9] return app.html --- app.html | 39 +++++++++++++++++++++++++++++++++++++++ nuxt.config.js | 1 - 2 files changed, 39 insertions(+), 1 deletion(-) diff --git a/app.html b/app.html index e69de29..89dfad8 100644 --- a/app.html +++ b/app.html @@ -0,0 +1,39 @@ + + + + + {{ HEAD }} + + +{{ APP }} + + diff --git a/nuxt.config.js b/nuxt.config.js index 81880fd..0d9bd55 100644 --- a/nuxt.config.js +++ b/nuxt.config.js @@ -45,7 +45,6 @@ export default { }, head: { title: 'Tornado.cash', - script: [{ src: 'headerScript.js', async: false, defer: true }], meta: [ { charset: 'utf-8' }, { From c5d30a788ba8f82cbb127008ce1717359e547f7c Mon Sep 17 00:00:00 2001 From: Danil Kovtonyuk Date: Tue, 14 Jun 2022 20:22:23 +1000 Subject: [PATCH 8/9] fix: add worker csp --- nuxt.config.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nuxt.config.js b/nuxt.config.js index 0d9bd55..387fd59 100644 --- a/nuxt.config.js +++ b/nuxt.config.js @@ -50,7 +50,7 @@ export default { { 'http-equiv': 'Content-Security-Policy', content: - "img-src 'self' data:;font-src data:;style-src 'self' 'unsafe-inline';connect-src *;script-src 'self' 'unsafe-eval' 'unsafe-inline';default-src 'self';object-src 'none';base-uri 'none';upgrade-insecure-requests" + "img-src 'self' data:;font-src data:;style-src 'self' 'unsafe-inline';connect-src *;script-src 'self' 'unsafe-eval' 'unsafe-inline';default-src 'self';object-src 'none';base-uri 'none';upgrade-insecure-requests;child-src blob:;worker-src blob:;" }, { name: 'Referer-Policy', From 249ea6b4e056d07ca28de738e54a060e1495bdba Mon Sep 17 00:00:00 2001 From: Danil Kovtonyuk Date: Wed, 15 Jun 2022 16:24:13 +1000 Subject: [PATCH 9/9] update README --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index a0c2eb5..1b0a0fb 100644 --- a/README.md +++ b/README.md @@ -5,11 +5,11 @@ ## Building locally - Install [Node.js](https://nodejs.org) version 14 - - If you are using [nvm](https://github.com/creationix/nvm#installation) (recommended) running `nvm use` will automatically choose the right node version for you. + - If you are using [nvm](https://github.com/creationix/nvm#installation) (recommended) running `nvm use` will automatically choose the right node version for you. - Install [Yarn](https://yarnpkg.com/en/docs/install) - Install dependencies: `yarn` - Copy the `.env.example` file to `.env` - - Replace environment variables with your own personal. + - Replace environment variables with your own personal. - Build the project to the `./dist/` folder with `yarn generate`. ## Development builds @@ -24,3 +24,7 @@ To start a development build (e.g. with logging and file watching) run `yarn dev ## Architecture For detailed explanation on how things work, checkout [Nuxt.js docs](https://nuxtjs.org). + +## Audit + +[TornadoCash_Сlassic_dApp_audit_Decurity.pdf](https://tornado.cash/audits/TornadoCash_Сlassic_dApp_audit_Decurity.pdf)