search

adraffy / ens-normalize.js

ENSIP-15 in JS
https://adraffy.github.io/ens-normalize.js/test/resolver.html
MIT License
67 stars 17 forks source link

Is this package malware? #20

Closed paulmillr closed 1 year ago

paulmillr commented 1 year ago

Probably not, but why are you having this code?

var r$1 = read_compressed_payload('AEgSbwjEDVYByQKaAQsBOQDpATQAngDUAHsAoABoANQAagCNAEQAhABMAHIAOwA9ACsANgAmAGIAHgAvACgAJwAXAC0AGgAjAB8ALwAUACkAEgAeAAkAGwARABkAFgA5ACgALQArADcAFQApABAAHgAiABAAGAAeABMAFwAXAA0ADgAWAA8AFAAVBFsF1QEXE0o3xAXUALIArkABaACmAgPGAK6AMDAwMAE/qAYK

This looks very similar to something malware would do. There are no comments or a description of this code.

If this is not malware, you should really add some comments.

ricmoo commented 1 year ago

It’s the compressed (customs format) utf-8 data for ENS normalization. :)

adraffy commented 1 year ago

var r$1

I can add comments to those blobs however I'm not sure if the /dist/ files should be read by humans.

The base64-encoded payloads are built by src/make.js. From my tests, this technique beats gzip even with the overhead of including the decompressor. I can add checksum hashes to each for extra assurance.

I've looked at a lot of Unicode-related libraries and nearly all of them include magic files and exotic build scripts. They're also very fragile in the sense they're almost impossible to safely tweak. This project is both end-to-end and designed for easy experimentation.

If you clone the repo, you should be able to derive the entire spec and build the library, starting from the raw ingredients (Unicode files + ENS Rules) by following the readme instructions . Clone-to-built should take less than a minute. You can even go a step further, delete the Unicode data, and download it yourself.

A fresh build should reproduce the spec hash found in my build. The build process also embeds all of the source information in src/include-versions.js.

paulmillr commented 1 year ago

not sure if the /dist/ files should be read by humans.

Yes, they are. I audit code. I did not download your repo. I downloaded ethers, non-minified. I see this base64 stuff that's impossible to decrypt without spending a few hours. It definitely feels like malware. So, again, the comments are needed and they would help.

What is the specific build size win you're getting from this technique?

I can add checksum hashes to each for extra assurance

This could help, but the comments are still needed, with detailed steps on how to reproduce it, links to README, etc.

adraffy commented 1 year ago

Something like this? https://github.com/adraffy/ens-normalize.js/blob/main/dist/index.mjs#L206 image

https://github.com/adraffy/ens-normalize.js#security image

paulmillr commented 1 year ago

Yes, that's much better.

adraffy commented 1 year ago

These changes went live in 1.9.4