Replace old xhr2-cookies with xhr2-cookies-patched deps for 1.x, fix User-Agent header problem #4808
Conversation
ghost
mentioned this pull request
|
@0xayanami Thanks for the PR. We will review it further. BTW there are 8 commits differences between the original package |
nazarhussain
requested review from
nazarhussain,
jdevcs,
luu-alex and
spacesailor24
nazarhussain
added
1.x
|
Added commit to fix the unittest, looks like it would work as normal again. |
ghost
mentioned this pull request
Pull Request Test Coverage Report for Build 2003763047
💛 - Coveralls |
|
@0xayanami Please update the |
|
@nazarhussain I have updated the |
There was a problem hiding this comment.
This PR has immense security implications and should not be merged as is. @0xayanami controls the package xhr2-cookies-patched and could update it arbitrarily after we merge this PR. If we'd like to implement this change, I think ChainSafe would need to publish the patched version of the package
jdevcs
added
Do Not Merge
|
@spacesailor24 Yes, that is what I was talking on the previous closed PR #4796. It would be great for ChainSafe to deploy the package. However, as the dependency have fixed version, and since the NPM's policy is not to allow republishing on the same version https://stackoverflow.com/questions/27873515/is-there-a-workaround-for-npm-publish-f, would it be impossible to update it arbitrarily? |
ghost
mentioned this pull request
|
@spacesailor24 @nazarhussain @luu-alex Perhaps this PR could address your concerns #4856 , could you please check out? |
Just to keep you in the loop, we're having an internal discussion about this, but this is my opinoin: I think if we use a static version in The big difference between We can review the changes from Am I being paranoid? Yes, but Web3.js has 540k+ weekly downloads and each of those users could completely boycott the project (and even ChainSafe) because we make a decision like this and introduce a vulnerability that does something as drastic stealing private keys @0xayanami it's not that you would do this, but it's that you could do this and there's even a possibility that your account gets compromised and someone else does it. I just think concerns like these should be discussed and understood by everyone before moving forward, especially because of the work this project does and the amount of access a hacker could obtain by exploiting Web3.js |
|
@spacesailor24 So to simplify your concerns,
I could rephrase this with
As you can check here https://www.npmjs.com/package/xhr2-cookies, the library is only being used by the variant of web3 and I would assume that no one ever tested or thoroughly audit the code since when I tried to test the library using the built-in test cases, it was already broken so I had no choice but to fix them to make it work again https://github.com/0xAyanami/xhr2-cookies/commit/e1ab976108383fba6e9155eff06556ac8072dc14 https://github.com/0xAyanami/xhr2-cookies/commit/e4e357c6e4afbc88833beb36bd1cb8dd5debdab1 https://github.com/0xAyanami/xhr2-cookies/commit/0e336f477b2a697688bfdf9494960626ba2558bb https://github.com/0xAyanami/xhr2-cookies/commit/3d3b1e5f1758ce9030a13a42d4a1e611d55c1c7b https://github.com/0xAyanami/xhr2-cookies/commit/61f93422632e0d63d4300de33aba5e3e73c59d81 These are the changes to make the library work properly again, so your term of 'xhr2-cookies' have been tested by various projects are wrong. So, 'The big difference between xhr2-cookies and xhr2-cookies-patched is the former has 377,857 weekly downloads, meaning 377,857 people are testing that the code works as expected every week and doesn't perform any malicious behavior.' - this would be a false statement since nobody actually checked out the code.
As you could see this line of code, exposes any kind of information that could be used to easily identify which device, which development environment is being used for individual dapp users, developers only because it uses To mitigate this, as a privacy project contributor I decided to use the modified wrapper of They have the rights to conceal their privacy, and if ChainSafe does care about users' privacy, the best behavior would be to help to stop the leak instead of being paranoid about something unlikely to happen. Why would someone need to giveaway their device information for free just because they interact with a project that integrated web3.js? @spacesailor24 Again, could you be paranoid for not only the project development, but for the user's privacy as well? Do we really want to giveaway the privacy of millions of DeFi users to node providers for free? I am not blaming for being paranoid for the unwanted changes, but as I believe that as long as your maintainer's audit for proper changes care for user's privacy it wouldn't hurt the reputation of anyone. And due to the fact that you are already using third-party dependencies for web3.js as well as that Being careful of security is okay and it is applaudable, but it doesn't justify not to review changes and block the changes that could fix the privacy for millions. |
|
Also, some incident like node-ipc https://gist.github.com/MidSpike/f7ae3457420af78a54b38a31cc0c809c happened not because people used the dynamic version statement of node-ipc, but because people actually trusted their dependency would not cause a problem just because many people is using it. Not only did people using dynamic versioning of node-ipc got in trouble but also people using the linked package of 'node-ipc' got in trouble as well, even if you use the static version, your npm package manager will still refer to the dynamic version of the package that is defined as a dependency of that static versioned dependency, it is called as supply chain attack as well. And btw, have you also audited every change of the updated projects yesterday that you give approval of? #4860 'Web3.js' already use tons of third party package with dynamic versioning https://raw.githubusercontent.com/ChainSafe/web3.js/695637798ad6b440b32dbad16f9ca301e4c3b5df/package-lock.json and any incident like |
ghost
requested a review
from 
spacesailor24
changed the base branch from
1.x
to
wyatt/1.x/4808-e2e-windows-test-fix
Description
Unlike ethers.js, web3.js didn't support using custom
User-Agentheaders due to header restrictions inherited from the old, unmaintained xhr2-cookies dependencies.Related issues:
#1803
#2158
Using old dependency would expose the OS and nodejs version to RPC providers.
Due to this problem, there are many forks of the old dependencies exist https://www.npmjs.com/package/xhr2-cookies-web3fix , only to fix this old restriction applied.
See also
souldreamer/xhr2-cookies#30
Type of change
Replace xhr2-cookies with https://www.npmjs.com/package/xhr2-cookies-patched (https://github.com/0xAyanami/xhr2-cookies.git)
Checklist:
npm run dtslintwith success and extended the tests and types if necessary.npm run test:unitwith success.npm run test:covand my test cases cover all the lines and branches of the added code.npm run buildand testeddist/web3.min.jsin a browser.CHANGELOG.mdfile in the root folder.