search

kshitijyelpale / blockchain-hyperledger-fabric-electronic-patient-records

GNU General Public License v3.0
48 stars 43 forks source link

Privacy leakage in asset_transfer.go #69

Open pdchecker opened 3 months ago

pdchecker commented 3 months ago

Describe the bug Privacy leakage in app/asset-transfer-private-data/chaincode-go/chaincode/asset_transfer.go

To Reproduce

  1. Deploy asset_transfer.go, along with the PDC definition.
  2. Invoke the AgreeToTransfer function to write the private data P to the PDC.
  3. Fetch the block and find corresponding transaction.
  4. The private data P can be found in "payload" field

Expected behavior The private data will be included in the transaction and all peers can access.

Screenshots The private data is recorded in base64. image

Desktop (please complete the following information):

Additional context leakage occurs in line 213, 289, 102, 308, 316, 445, 459, 528.

pdchecker commented 3 months ago

According to the Docs, the functions that query private data should be read-only.