fix: audit

This commit is contained in:
Pasha8914 2022-06-07 00:26:00 +10:00
parent 9f8aad114c
commit b91b81f5c9
21 changed files with 140 additions and 53 deletions

View File

@ -12,7 +12,7 @@
class="footer-address__value"
target="_blank"
:href="addressExplorerUrl(donationsAddress)"
rel="noreferrer"
rel="noopener noreferrer"
>{{ donationsAddress }}</a
>
</div>
@ -31,7 +31,7 @@
type="is-icon"
:href="duneLink"
target="_blank"
rel="noreferrer"
rel="noopener noreferrer"
icon-right="stats"
></b-button>
<b-button
@ -39,7 +39,7 @@
type="is-icon"
href="https://torn.community"
target="_blank"
rel="noreferrer"
rel="noopener noreferrer"
icon-right="discourse"
></b-button>
<b-button
@ -47,7 +47,7 @@
type="is-icon"
href="https://discord.com/invite/TFDrM8K42j"
target="_blank"
rel="noreferrer"
rel="noopener noreferrer"
icon-right="discord"
></b-button>
<b-button
@ -55,7 +55,7 @@
type="is-icon"
href="https://tornado-cash.medium.com"
target="_blank"
rel="noreferrer"
rel="noopener noreferrer"
icon-right="medium"
></b-button>
<b-button
@ -63,7 +63,7 @@
type="is-icon"
href="https://twitter.com/TornadoCash"
target="_blank"
rel="noreferrer"
rel="noopener noreferrer"
icon-right="twitter"
></b-button>
<b-button
@ -71,7 +71,7 @@
type="is-icon"
href="https://t.me/TornadoCashOfficial"
target="_blank"
rel="noreferrer"
rel="noopener noreferrer"
icon-right="telegram"
></b-button>
<b-button
@ -79,7 +79,7 @@
type="is-icon"
href="https://github.com/tornadocash"
target="_blank"
rel="noreferrer"
rel="noopener noreferrer"
icon-right="github"
></b-button>
<div class="break"></div>

View File

@ -14,7 +14,12 @@
<b-skeleton v-if="!job.txHash && job.status !== 'FAILED'" />
<div v-else class="details">
<p class="detail">
<a class="detail-description" :href="txExplorerUrl(job.txHash)" target="_blank">
<a
class="detail-description"
:href="txExplorerUrl(job.txHash)"
target="_blank"
rel="noopener noreferrer"
>
{{ job.txHash }}
</a>
</p>

View File

@ -3,7 +3,9 @@
<template v-slot:content>
<template v-if="isLoggedIn">
<p>{{ $t('web3connected') }}</p>
<a :href="addressExplorerUrl(ethAccount)" target="_blank">{{ shortAddress(ethAccount) }}</a>
<a :href="addressExplorerUrl(ethAccount)" target="_blank" rel="noopener noreferrer">{{
shortAddress(ethAccount)
}}</a>
<p><NumberFormat :value="balance" /> {{ currency }}</p>
</template>
<template v-else>

View File

@ -18,7 +18,12 @@
<b-navbar-item tag="router-link" to="/compliance">
{{ $t('compliance') }}
</b-navbar-item>
<b-navbar-item href="http://docs.tornado.cash" target="_blank" rel="noreferrer" class="has-tag">
<b-navbar-item
href="https://docs.tornado.cash"
target="_blank"
rel="noopener noreferrer"
class="has-tag"
>
<b-icon icon="open-book" size="is-small" class="mr-1" />
<span>{{ $t('docs') }}</span>
</b-navbar-item>

View File

@ -18,10 +18,15 @@
</template>
<template v-slot:description>{{ notice.description }}</template>
</i18n>
<a v-if="notice.nova" href="https://nova.tornadocash.eth.link" target="_blank">
<a
v-if="notice.nova"
href="https://nova.tornadocash.eth.link"
target="_blank"
rel="noopener noreferrer"
>
Tornado Cash Nova
</a>
<a v-if="notice.txHash" :href="txExplorerUrl(notice.txHash)" target="_blank">
<a v-if="notice.txHash" :href="txExplorerUrl(notice.txHash)" target="_blank" rel="noopener noreferrer">
{{ $t('viewOnEtherscan') }}
</a>
<n-link v-else-if="notice.routerLink" v-bind="notice.routerLink.params" @onClick="$forceUpdate()">

View File

@ -22,7 +22,12 @@
<div class="column is-hash" :data-label="$t('txHash')">
<div class="details">
<p class="detail">
<a class="detail-description" :href="txExplorerUrl(tx.txHash)" target="_blank">
<a
class="detail-description"
:href="txExplorerUrl(tx.txHash)"
target="_blank"
rel="noopener noreferrer"
>
{{ tx.txHash }}
</a>
</p>

View File

@ -123,7 +123,7 @@
<div class="column is-full-small">
<strong>{{ $t('proposalAddress') }}</strong>
<div class="value">
<a :href="contractUrl" class="address" target="_blank">
<a :href="contractUrl" class="address" target="_blank" rel="noopener noreferrer">
{{ data.target }}
</a>
</div>

View File

@ -12,7 +12,9 @@
</b-field>
<div class="label-with-value">
{{ $t('currentDelegate') }}:
<a target="_blank" :href="addressExplorerUrl(currentDelegate)">{{ delegateMsg }}</a>
<a target="_blank" :href="addressExplorerUrl(currentDelegate)" rel="noopener noreferrer">{{
delegateMsg
}}</a>
</div>
<div>
<b-tooltip

View File

@ -5,7 +5,9 @@
</div>
<div class="label-with-value">
{{ $t('currentDelegate') }}:
<a target="_blank" :href="addressExplorerUrl(currentDelegate)">{{ delegateMsg }}</a>
<a target="_blank" :href="addressExplorerUrl(currentDelegate)" rel="noopener noreferrer">{{
delegateMsg
}}</a>
</div>
<b-tooltip
class="is-block"

View File

@ -14,6 +14,7 @@
v-show="!hasErrorNote && depositTxHash"
:href="txExplorerUrl(depositTxHash)"
target="_blank"
rel="noopener noreferrer"
class="button is-icon"
>
<b-tooltip
@ -377,9 +378,6 @@ export default {
this.$emit('get-key', this.getKeys)
},
mounted() {
if (this.$route.query.note) {
this.withdrawNote = this.$route.query.note
}
this.$root.$on('resetWithdraw', () => {
this.withdrawAddress = ''
this.withdrawNote = ''

View File

@ -452,5 +452,9 @@
"name": "Name",
"fee": "Fee"
},
"withdrawalQueueIsOverloaded": "Withdrawal queue is overloaded"
"withdrawalQueueIsOverloaded": "Withdrawal queue is overloaded",
"trustBanner": {
"trustLess": "You are using an public IPFS gateway. Tornado Cash dApp can not use all security features of your browser. Check out {link} for alternatives",
"link": "landing page"
}
}

View File

@ -69,6 +69,7 @@ export default {
},
mounted() {
this.$preventMultitabs()
window.addEventListener('focus', this.$preventMultitabs)
if (process.browser) {
window.onNuxtReady(() => {
@ -108,6 +109,9 @@ export default {
})
}
},
beforeDestroy() {
window.removeEventListener('focus', this.$preventMultitabs)
},
methods: {
...mapActions('settings', ['checkCurrentRpc', 'preselectRpc']),
checkRecoveryKey() {

View File

@ -39,6 +39,12 @@ const providerMiddleware = async ({ store }) => {
const chainId = hexToNumber(await provider.request({ method: 'eth_chainId' }))
await checkProvider({ store, accounts, chainId, providerName })
} else {
const storedNetId = window.localStorage.getItem('netId')
if (networkConfig[`netId${storedNetId}`]) {
await store.dispatch('metamask/onNetworkChanged', { netId: Number(storedNetId) })
}
}
} catch (err) {
console.error(`Provider container has error: ${err.message}`)

View File

@ -47,6 +47,27 @@ export default {
title: 'Tornado.cash',
meta: [
{ charset: 'utf-8' },
{
'http-equiv': 'Content-Security-Policy',
content: ''
},
// move to req middlevare
// {
// 'http-equiv': 'Permissions-Policy',
// content: 'geolocation=()'
// },
// {
// 'http-equiv': 'Strict-Transport-Security',
// content: 'max-age=31536000;'
// },
// {
// 'http-equiv': 'X-Content-Type-Options',
// content: 'nosniff'
// },
{
name: 'Referer-Policy',
content: 'no-referrer'
},
{
name: 'viewport',
content: 'width=device-width, initial-scale=1, maximum-scale=1, user-scalable=no'

View File

@ -69,6 +69,7 @@
v-if="txDepositInfo.txHash"
:href="txExplorerUrl(txDepositInfo.txHash)"
target="_blank"
rel="noopener noreferrer"
class="value"
:data-value="txDepositInfo.txHash"
>
@ -82,6 +83,7 @@
v-if="txDepositInfo.txHash"
:href="addressExplorerUrl(txDepositInfo.from)"
target="_blank"
rel="noopener noreferrer"
class="value"
>
{{ txDepositInfo.from }}
@ -155,6 +157,7 @@
v-if="txWithdrawalInfo.txHash"
:href="txExplorerUrl(txWithdrawalInfo.txHash)"
target="_blank"
rel="noopener noreferrer"
class="value"
:data-value="txWithdrawalInfo.txHash"
>
@ -168,6 +171,7 @@
v-if="txWithdrawalInfo.to"
:href="addressExplorerUrl(txWithdrawalInfo.to)"
target="_blank"
rel="noopener noreferrer"
class="value"
>
{{ txWithdrawalInfo.to }}

View File

@ -13,6 +13,22 @@
<i18n path="binanceInternalTxsNotification" />
</b-notification>
<b-notification
:active="isActiveNotification.third"
class="main-notification"
type="is-warning"
icon-pack="icon"
has-icon
:aria-close-label="$t('closeNotification')"
@close="disableNotification({ key: 'third' })"
>
<i18n path="trustBanner.trustLess">
<template v-slot:link>
<a href="https://tornado.cash/">{{ $t('trustBanner.link') }}</a>
</template>
</i18n>
</b-notification>
<b-notification
:active="isActiveNotification.first"
class="main-notification"
@ -27,7 +43,7 @@
<a
href="https://twitter.com/TornadoCash/status/1204745639759884289"
target="_blank"
rel="noreferrer"
rel="noopener noreferrer"
>{{ $t('indexNotificationLinkText') }}</a
>
</template>
@ -82,21 +98,20 @@ export default {
},
created() {
this.$store.dispatch('application/setNativeCurrency', { netId: this.netId })
},
mounted() {
if (this.$route.query.note) {
this.activeTab = 1
}
this.checkIsTrustedUrl()
},
methods: {
...mapActions('settings', ['disableNotification']),
checkIsTrustedUrl() {
const isIpfs = this.$isLoadedFromIPFS()
if (!isIpfs) {
this.disableNotification({ key: 'third' })
}
},
onGetKey(fn) {
this.getKeys = fn
},
async tabChanged(tabIndex) {
if (!this.$route.query.note) {
this.$root.$emit('resetWithdraw')
}
if (tabIndex === 1) {
this.$store.dispatch('relayer/pickRandomRelayer', { type: 'tornado' })

View File

@ -3,20 +3,17 @@ export default ({ store, isHMR, app }, inject) => {
inject('isLoadedFromIPFS', main)
}
function main() {
const domainWhiteList = [
'tornado.cash',
'localhost:3000',
'stage.tornado.cash',
'tornadocash.eth',
const whiteListedDomains = [
// 'localhost:3000',
'tornadocash.eth.link',
'tornadocash.eth.limo',
'app.tornado.cash',
'donotshare.tornado.cash'
'tornadocash.eth.limo'
]
if (window.location.host.includes('tornadocash.netlify.app')) {
const NETLIFY_REGEXP = /https:\/\/deploy-preview-(\d+)--tornadocash\.netlify\.app/
if (NETLIFY_REGEXP.test(window.location.host)) {
return false
} else if (!domainWhiteList.includes(window.location.host)) {
} else if (!whiteListedDomains.includes(window.location.host)) {
console.warn('The page has been loaded from ipfs.io. LocalStorage is disabled')
return true
}

View File

@ -21,16 +21,23 @@ export default ({ store, isHMR }) => {
return
}
const paths = ['metamask.netId', 'application.selectedStatistic', 'application.selectedInstance']
if (!store.$isLoadedFromIPFS()) {
paths.push('txHashKeeper', 'settings', 'account', 'relayer.jobs', 'encryptedNote.ui')
const paths = [
'metamask.netId',
'application.selectedStatistic',
'application.selectedInstance',
'txHashKeeper',
'settings',
'account',
'relayer.jobs',
'encryptedNote.ui'
]
migrate()
createPersistedState({
key: STORE_NAME,
paths
})(store)
}
migrate()
createPersistedState({
key: STORE_NAME,
paths
})(store)
}

View File

@ -82,6 +82,8 @@ const mutations = {
},
SET_NET_ID(state, netId) {
netId = parseInt(netId, 10)
window.localStorage.setItem('netId', netId)
state.netId = netId
},
SET_RECONNECTING(state, bool) {

View File

@ -337,13 +337,15 @@ export const actions = {
async getCustomRelayerData({ rootState, state, getters, rootGetters, dispatch }, { url, name }) {
const provider = getters.ethProvider.eth
if (!url.startsWith('https:') && !url.startsWith('http:')) {
if (url.includes('.onion')) {
const PROTOCOL_REGEXP = /^(http(s?))/
if (!PROTOCOL_REGEXP.test(url)) {
if (url.endsWith('.onion')) {
url = `http://${url}`
} else {
url = `https://${url}`
}
}
const urlParser = new URL(url)
urlParser.href = url
let ensName = name

View File

@ -20,7 +20,8 @@ export const state = () => {
...rpcData,
isActiveNotification: {
first: true,
second: true
second: true,
third: true
}
}
}