Merge pull request #7066 from BitGo/DX-1549-bigint-buffer-advisory

DX-1549-Resolved-BigInt-Buffer-Vulnerability

Author: tanjeemh

.iyarc

@@ -1 +0,0 @@
-GHSA-3gc7-fjrx-p6mg

modules/sdk-coin-sol/src/bigint-buffer-guard.ts

@@ -0,0 +1,31 @@
+// Added a lightweight runtime guard for BigInt<->Buffer conversions in @bitgo/sdk-coin-sol (bigint-buffer-guard.ts) to validate input lengths and reduce misuse risk.
+// It's purpose is to enforce input type/length checks around BigInt buffer operations; imported it so validations run at module load
+
+try {
+  const mod = require('bigint-buffer');
+  const le = typeof mod.toBigIntLE === 'function' ? mod.toBigIntLE : undefined;
+  const be = typeof mod.toBigIntBE === 'function' ? mod.toBigIntBE : undefined;
+
+  const isBufferLike = (b: unknown) => (typeof Buffer !== 'undefined' && Buffer.isBuffer(b)) || b instanceof Uint8Array;
+
+  const byteLen = (b: any) =>
+    typeof Buffer !== 'undefined' && Buffer.isBuffer(b) ? b.length : (b as Uint8Array).byteLength;
+
+  const assertBuf = (b: unknown) => {
+    if (!isBufferLike(b)) throw new TypeError('toBigInt*: input must be Buffer/Uint8Array');
+    if (byteLen(b as any) > 1_000_000) throw new RangeError('toBigInt*: buffer too large');
+  };
+
+  if (le)
+    mod.toBigIntLE = (buf: Buffer | Uint8Array) => {
+      assertBuf(buf);
+      return le(buf);
+    };
+  if (be)
+    mod.toBigIntBE = (buf: Buffer | Uint8Array) => {
+      assertBuf(buf);
+      return be(buf);
+    };
+} catch {
+  /* noop */
+}

modules/sdk-coin-sol/src/index.ts

@@ -1,3 +1,4 @@
+import './bigint-buffer-guard';
 export * from './lib';
 export * from './sol';
 export * from './solToken';

package.json

@@ -99,6 +99,7 @@
     "**/swarm-js/**/ws": "5.2.4",
     "serialize-javascript": "^6.0.2",
     "@grpc/grpc-js": "^1.12.6",
+    "bigint-buffer": "npm:@trufflesuite/[email protected]",
     "request": "npm:@cypress/[email protected]",
     "**/avalanche/store2": "2.14.4",
     "webpack-dev-server": "5.2.1"
@@ -141,7 +142,8 @@
   "dependencies": {
     "axios": "^1.12.0",
     "terser": "^5.14.2",
-    "tmp": "^0.2.3"
+    "tmp": "^0.2.3",
+    "bigint-buffer": "npm:@trufflesuite/[email protected]"
   },
   "packageManager": "[email protected]"
 }

yarn.lock

@@ -7723,12 +7723,12 @@ [email protected], bigi@^1.1.0, bigi@^1.4.2:
   resolved "https://registry.npmjs.org/bigi/-/bigi-1.4.2.tgz"
   integrity sha512-ddkU+dFIuEIW8lE7ZwdIAf2UPoM90eaprg5m3YXAVVTmKlqV/9BX4A2M8BOK2yOq6/VgZFVhK6QAxJebhlbhzw==
 
-bigint-buffer@^1.1.5:
-  version "1.1.5"
-  resolved "https://registry.npmjs.org/bigint-buffer/-/bigint-buffer-1.1.5.tgz"
-  integrity sha512-trfYco6AoZ+rKhKnxA0hgX0HAbVP/s808/EuDSe2JDzUnCp/xAsli35Orvk67UrTEcwuxZqYZDmfA2RXJgxVvA==
+bigint-buffer@^1.1.5, "bigint-buffer@npm:@trufflesuite/[email protected]":
+  version "1.1.10"
+  resolved "https://registry.npmjs.org/@trufflesuite/bigint-buffer/-/bigint-buffer-1.1.10.tgz#a1d9ca22d3cad1a138b78baaf15543637a3e1692"
+  integrity sha512-pYIQC5EcMmID74t26GCC67946mgTJFiLXOT/BYozgrd4UEY2JHEGLhWi9cMiQCt5BSqFEvKkCHNnoj82SRjiEw==
   dependencies:
-    bindings "^1.3.0"
+    node-gyp-build "4.4.0"
 
 [email protected]:
   version "3.1.4"
@@ -7784,13 +7784,6 @@ binaryextensions@^4.16.0:
   resolved "https://registry.npmjs.org/binaryextensions/-/binaryextensions-4.19.0.tgz"
   integrity sha512-DRxnVbOi/1OgA5pA9EDiRT8gvVYeqfuN7TmPfLyt6cyho3KbHCi3EtDQf39TTmGDrR5dZ9CspdXhPkL/j/WGbg==
 
-bindings@^1.3.0:
-  version "1.5.0"
-  resolved "https://registry.npmjs.org/bindings/-/bindings-1.5.0.tgz"
-  integrity sha512-p2q/t/mhvuOj/UeLlV6566GD/guowlr0hHxClI0W9m7MWYkL1F0hLo+0Aexs9HSPCtR1SXQ0TD3MMKrXZajbiQ==
-  dependencies:
-    file-uri-to-path "1.0.0"
-
 bip174@=2.1.1, bip174@^2.1.1:
   version "2.1.1"
   resolved "https://registry.npmjs.org/bip174/-/bip174-2.1.1.tgz"
@@ -11694,11 +11687,6 @@ file-loader@^6.2.0:
     loader-utils "^2.0.0"
     schema-utils "^3.0.0"
 
-[email protected]:
-  version "1.0.0"
-  resolved "https://registry.npmjs.org/file-uri-to-path/-/file-uri-to-path-1.0.0.tgz"
-  integrity sha512-0Zt+s3L7Vf1biwWZ29aARiVYLx7iMGnEUl9x33fbB/j3jR81u/O2LbqK+Bm1CDSNDKVtJ/YjwY7TUd5SkeLQLw==
-
 filelist@^1.0.4:
   version "1.0.4"
   resolved "https://registry.npmjs.org/filelist/-/filelist-1.0.4.tgz"
@@ -15742,6 +15730,11 @@ [email protected]:
   dependencies:
     detect-libc "^2.0.1"
 
+[email protected]:
+  version "4.4.0"
+  resolved "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-4.4.0.tgz#42e99687ce87ddeaf3a10b99dc06abc11021f3f4"
+  integrity sha512-amJnQCcgtRVw9SvoebO3BKGESClrfXGCUTX9hSn1OuGQTQBOZmVd0Z0OlecpuRksKvbsUqALE8jls/ErClAPuQ==
+
 node-gyp-build@^4.2.0, node-gyp-build@^4.3.0:
   version "4.8.4"
   resolved "https://registry.npmjs.org/node-gyp-build/-/node-gyp-build-4.8.4.tgz"