-
-
Notifications
You must be signed in to change notification settings - Fork 275
feat!: add serialized keyring data to state #8009
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -291,6 +291,10 @@ export type KeyringObject = { | |
| * Keyring type. | ||
| */ | ||
| type: string; | ||
| /** | ||
| * Keyring serialized data. | ||
| */ | ||
| data: Json; | ||
| /** | ||
| * Additional data associated with the keyring. | ||
| */ | ||
|
|
@@ -662,6 +666,7 @@ async function displayForKeyring({ | |
| // Cast to `string[]` here is safe here because `accounts` has no nullish | ||
| // values, and `normalize` returns `string` unless given a nullish value | ||
| accounts: accounts.map(normalize) as string[], | ||
| data: cloneDeep(await keyring.serialize()), | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. State updates now repeatedly serialize keyringsMedium Severity
|
||
| metadata, | ||
| }; | ||
| } | ||
|
|
@@ -770,7 +775,7 @@ export class KeyringController< | |
| usedInUi: true, | ||
| }, | ||
| keyrings: { | ||
| includeInStateLogs: true, | ||
| includeInStateLogs: false, | ||
|
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Keyrings removed from state logs unexpectedlyMedium Severity Setting
Member
Author
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. See #8009 (comment) |
||
| persist: false, | ||
| includeInDebugSnapshot: false, | ||
| usedInUi: true, | ||
|
|
@@ -2303,6 +2308,7 @@ export class KeyringController< | |
| const updatedKeyrings = await this.#getUpdatedKeyrings(); | ||
|
|
||
| this.update((state) => { | ||
| // @ts-expect-error The `Json` type causes the error `Type instantiation is excessively deep and possibly infinite` | ||
| state.keyrings = updatedKeyrings; | ||
| state.encryptionKey = encryptionKey; | ||
| state.encryptionSalt = this.#encryptionKey?.salt; | ||
|
|
||


There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Serialized keyring secrets exposed via controller state
High Severity
displayForKeyringnow putsawait keyring.serialize()intostate.keyrings[*].data, andkeyringsis markedusedInUi: true. Since keyringserialize()commonly includes sensitive material (e.g., mnemonics/private keys), this exposes secrets to any consumer ofKeyringController:getState/KeyringController:stateChange(including UI code).Additional Locations (1)
packages/keyring-controller/src/KeyringController.ts#L283-L302There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we should worry about KeyringController consumers being able to read secrets, because that's already possible via
withKeyring. But perhaps we should consider restricting this property in the UI, to avoid accidental leaks.