From 340fb8c9938302cb7ff0ed02e54bb96df0ce55e3 Mon Sep 17 00:00:00 2001 From: Kevin Gorham Date: Wed, 10 Jun 2020 08:50:52 -0400 Subject: [PATCH] Address security finding #127 by validating address. This just needs to be tested on detail views with a lot of transactions to be sure that rapid scrolling doesn't cause too much backpressure. --- .../java/cash/z/ecc/android/ui/MainActivity.kt | 7 +++++++ .../android/ui/detail/TransactionViewHolder.kt | 18 ++++++++++++------ 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/app/src/main/java/cash/z/ecc/android/ui/MainActivity.kt b/app/src/main/java/cash/z/ecc/android/ui/MainActivity.kt index 617a007..55f049b 100644 --- a/app/src/main/java/cash/z/ecc/android/ui/MainActivity.kt +++ b/app/src/main/java/cash/z/ecc/android/ui/MainActivity.kt @@ -224,6 +224,13 @@ class MainActivity : AppCompatActivity() { } } + suspend fun isValidAddress(address: String): Boolean { + try { + return !synchronizerComponent.synchronizer().validateAddress(address).isNotValid + } catch (t: Throwable) { } + return false + } + fun copyText(textToCopy: String, label: String = "zECC Wallet Text") { clipboard.setPrimaryClip( ClipData.newPlainText(label, textToCopy) diff --git a/app/src/main/java/cash/z/ecc/android/ui/detail/TransactionViewHolder.kt b/app/src/main/java/cash/z/ecc/android/ui/detail/TransactionViewHolder.kt index 9494555..2389a0c 100644 --- a/app/src/main/java/cash/z/ecc/android/ui/detail/TransactionViewHolder.kt +++ b/app/src/main/java/cash/z/ecc/android/ui/detail/TransactionViewHolder.kt @@ -3,6 +3,7 @@ package cash.z.ecc.android.ui.detail import android.view.View import android.widget.TextView import android.widget.Toast +import androidx.lifecycle.lifecycleScope import androidx.recyclerview.widget.RecyclerView import cash.z.ecc.android.R import cash.z.ecc.android.ext.goneIf @@ -14,6 +15,7 @@ import cash.z.ecc.android.ui.util.toUtf8Memo import cash.z.ecc.android.sdk.db.entity.ConfirmedTransaction import cash.z.ecc.android.sdk.ext.* import com.google.android.material.dialog.MaterialAlertDialogBuilder +import kotlinx.coroutines.launch import java.nio.charset.Charset import java.text.SimpleDateFormat import java.util.* @@ -27,8 +29,7 @@ class TransactionViewHolder(itemView: View) : Recycler private val formatter = SimpleDateFormat("M/d h:mma", Locale.getDefault()) private val addressRegex = """zs\d\w{65,}""".toRegex() - fun bindTo(transaction: T?) { - + fun bindTo(transaction: T?) = (itemView.context as MainActivity).lifecycleScope.launch { // update view var lineOne: String = "" var lineTwo: String = "" @@ -97,19 +98,19 @@ class TransactionViewHolder(itemView: View) : Recycler shieldIcon.goneIf((transaction?.raw != null || transaction?.expiryHeight != null) && !transaction?.toAddress.isShielded()) } - private fun getSender(transaction: ConfirmedTransaction): String { + private suspend fun getSender(transaction: ConfirmedTransaction): String { val memo = transaction.memo.toUtf8Memo() return when { memo.contains(INCLUDE_MEMO_PREFIX) -> { - val address = memo.split(INCLUDE_MEMO_PREFIX)[1].trim() + val address = memo.split(INCLUDE_MEMO_PREFIX)[1].trim().validateAddress() ?: "Unknown" "${address.toAbbreviatedAddress()} paid you" } memo.contains("eply to:") -> { - val address = memo.split("eply to:")[1].trim() + val address = memo.split("eply to:")[1].trim().validateAddress() ?: "Unknown" "${address.toAbbreviatedAddress()} paid you" } memo.contains("zs") -> { - val who = extractAddress(memo)?.toAbbreviatedAddress() ?: "Unknown" + val who = extractAddress(memo).validateAddress()?.toAbbreviatedAddress() ?: "Unknown" "$who paid you" } else -> "Unknown paid you" @@ -145,6 +146,11 @@ class TransactionViewHolder(itemView: View) : Recycler (itemView.context as MainActivity).copyText(it, "Transaction Address") } } + + private suspend fun String?.validateAddress(): String? { + if (this == null) return null + return if ((itemView.context as MainActivity).isValidAddress(this)) this else null + } } private fun ByteArray.toTxId(): String {