[Security] (low risk) New coins: restrict charset of ticker and name #343
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
TODO: test the regular expression for ticket or coin name with $ and _
Thank you to crackers for the testing and sorry for the problems due to my mistake. I will test my code before asking other pools to test it.
phm87
changed the title
|
I tested to inject a javascript before this code change and the code was injected. To simulate the injection, I added 2 lines: debuglog("test"); Here is what was displayed in the logs: If, as admin, I open the /coin page I see the alert(); |
|
Just turn that off :) |
blacksheepstoner23
approved these changes
May 13, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As discussed on IRC, the probability that a malicious script is injected from exchange to pool through the exchange API is very small. It can happen if the exchange is hacked or if the exchange API is hacked on DNS level. It never happened on our pools.
Several exchanges got hacked and more and more DNS attacks happen : MyEtherWallet was targetted in the past and more recently: https://techcrunch.com/2019/02/23/icann-ongoing-attacks-dns/
As this change doesn't slow down yiimp loops, can you please include it ?
Thank you to crackers who tested the patch and sorry for the problems during early tests.
Remark: The characters . / - can be added for some coins with weird names.
[2019-02-25 22:35:58] weird name I/OCoin for symbol IOC from bittrex
[2019-02-25 22:35:59] weird name iEx.ec for symbol RLC from bittrex
[2019-02-25 22:35:59] weird name Crypto.com for symbol MCO from bittrex
[2019-02-25 22:35:59] weird name Bitcoin Cash (ABC) for symbol BCH from bittrex
[2019-02-25 22:35:59] weird name I-House Token for symbol IHT from bittrex
[2019-02-25 22:35:59] weird name Solve.Care for symbol SOLVE from bittrex
[2019-02-25 22:36:04] weird name Trollcoin 2.0 for symbol TROLL from bleutrade
[2019-02-25 22:36:04] weird name Block-Chain.com Token for symbol BC from crex24
[2019-02-25 22:36:04] weird name Bitcoin Cash(ABC) for symbol BCH from crex24
[2019-02-25 22:36:05] weird name EyCo-Tech for symbol EYCO from crex24
[2019-02-25 22:36:05] weird name IQ.cash for symbol IQ from crex24
[2019-02-25 22:36:05] weird name LILI-Coin for symbol LILI from crex24
[2019-02-25 22:36:05] weird name MODEL-X-coin for symbol MODX from crex24
[2019-02-25 22:36:05] weird name NEXT.exchange for symbol NEXT from crex24
[2019-02-25 22:36:06] weird name Spectre.ai D for symbol SXDT from crex24
[2019-02-25 22:36:06] weird name Spectre.ai U for symbol SXUT from crex24
[2019-02-25 22:36:06] weird name THEX-THOREExchange for symbol THE from crex24
[2019-02-25 22:36:06] weird name USD//Coin for symbol USDC from crex24