fix(bn-patch): fix bad html evasion - Githubissues

Agoric / agoric-sdk

monorepo for the Agoric Javascript smart contract platform

Apache License 2.0

303 stars 191 forks source link

fix(bn-patch): fix bad html evasion #9564

Closed erights closed 1 week ago

erights commented 1 week ago

closes: #XXXX refs: https://github.com/endojs/endo/issues/1837 https://github.com/Agoric/agoric-sdk/commit/7accc0286007216d55642056152f3be2a0ba3671 https://github.com/Agoric/agoric-sdk/pull/9112 https://github.com/endojs/endo/blob/master/packages/ses/error-codes/SES_HTML_COMMENT_REJECTED.md

Description

A patch introduced in at https://github.com/Agoric/agoric-sdk/commit/7accc0286007216d55642056152f3be2a0ba3671 in #9112 patched https://www.npmjs.com/package/bn.js/v/5.1.2 to work around the bug explained at https://github.com/endojs/endo/issues/1837 . However, the fix followed the advice at https://github.com/endojs/endo/issues/1837#issuecomment-2136033372 , which is wrong for the reasons explained at https://github.com/endojs/endo/issues/1837#issuecomment-2136252916 .

wrong: rewrite x-- > y as (x--, x > y)

This PR fixes that mistake by instead using the technique @gibson042 suggests at https://github.com/endojs/endo/issues/1837#issuecomment-2136074644

correct: rewrite x-- > y as [x--][0] > y

Security Considerations

fixes an integrity bug. I have no idea how significant this bug was.

Scaling Considerations

none

Documentation Considerations

none

Testing Considerations

none

Upgrade Considerations

Well, it is a change. But I have no idea what the patched library was used for, so cannot evaluate.

cloudflare-pages[bot] commented 1 week ago

Deploying agoric-sdk with Cloudflare Pages

Latest commit:	`c7ebc2c`
Status:	✅ Deploy successful!
Preview URL:	https://a636dd0d.agoric-sdk.pages.dev
Branch Preview URL:	https://markm-fix-html-evasion.agoric-sdk.pages.dev