victortaelin / eth-lib Goto Github PK

eth-lib 0.2.7 and 0.2.8, as published on npm, include lib/provider.js, which requires a package not specified in package.json dependencies field.

lib/api.js and lib/types.js are also present corresponding files in src/.

Apparently, that's a leftover from previous version -- there is no corresponding file in the src/ dir.

Perhaps it would make sense to not package it in the next version.

Doing a TypeScript import for Account triggers some unwanted side-effects in web browser context. On the Node server-side it is fine.

import { Account } from 'eth-lib/lib'; // https://github.com/MaiaVictor/eth-lib/blob/master/src/account.js

As a workaround use JavaScript style import:

const Account = require('eth-lib/lib/account');

Not sure if this should be resolved or is resolvable.

window.crypto.getRandomValues is easy to overwrite. So I don't think it is very safe to create random for account private key.

https://github.com/MaiaVictor/eth-lib/blob/d959c54faa1e1ac8d474028ed1568c5dce27cc7a/src/bytes.js#L6-L18

https://github.com/MaiaVictor/eth-lib/blob/d959c54faa1e1ac8d474028ed1568c5dce27cc7a/src/account.js#L8-L13

Maybe you should make sure the entropy is not empty

Please see this for reference.

It looks like https://github.com/MaiaVictor/eth-lib/blob/master/src/account.js is injecting it's own random values despite supplied entropy.

If this is by design then it is a serious vulnerability, because the entropy used compromises a fixed part of the final random pattern. This means that it is reducing the overall "randomness" of the generated keys thereby weakening it.

If the user supplies entropy then 1/3rd of the key is compromised, thus you're losing randomness guarantees by allowing entropy to be supplied there as a sort of seed value which in fact does nothing useful for the user since only a state actor with massive resources could pre-image the rest of the key.

Furthermore it breaks expectations since if I am already supplying entropy then the logical conclusion is that same entropy should yield same account, every time. This is not happening because we concat a randomly generated 32 bytes on 2 separate occasions. That would allow for an additional attack vector since if the random function is overridden by an attacker, for example an XSS, the whole system could be compromised.

It needs to be either one or the other. Either the create with entropy function provides a consistent result without trying to toss in randomly generated values from another source, or it completely disregards the entropy in favor of injecting it's own randomly generated values, in which case one has to ask, "what's the point of this function?"
Thanks!

Seems like the src directory is used as the source for build uglification by react-app, which fails because it is ES6. Is there a way to specify the lib folder as the source? All other web3 libs build fine..

I would like to see an Ethereum name or address added to the ethereum field of the package.json file. This will allow consumers of the project to know a cannonical address to send funds to, for example donations.

I'm building an application that will allow developers to automatically donate ETH to all of their npm dependencies that have Ethereum addresses in their package.json files. I'm not quite ready to share the project, but I'd love to see an Ethereum address in this project's package.json file.

Seems like tests are a bit broken at the moment, it's hard to contribute patches with test coverage on them.

What's happening with this project? Are you going to accept pr that fixes current state?

• src/types.js is missing, there's only lib/types.js - required from test/test.js
• Account.signTransaction(...) is using in test/test.js but implementation is missing in src/account.js

It looks like web3.js 1.x is using this library even though it's mentioned here in readme that's just temporary package. It still should be in sane state, no? Or am I missing something? Are the efforts directed somewhere else?

refs request/request#3442

[email protected] is using pkg:servify, and pkg:servify is using pgk:request which contains risky code

But I found there's no usage of servify in [email protected]. So is it possible to remove the dependency?