diff --git a/.github/workflows/codeql_checks.yml b/.github/workflows/codeql_checks.yml index c243752be..1c89d5075 100644 --- a/.github/workflows/codeql_checks.yml +++ b/.github/workflows/codeql_checks.yml @@ -15,33 +15,6 @@ on: jobs: analyse: - name: Analyse - strategy: - fail-fast: false - matrix: - sdk: ["$NANOX_SDK", "$NANOSP_SDK", "$STAX_SDK", "$FLEX_SDK"] - # 'cpp' covers C and C++ - language: ['cpp'] - runs-on: ubuntu-latest - container: - image: ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest - - steps: - - name: Clone - uses: actions/checkout@v4 - with: - submodules: true - - - name: Initialize CodeQL - uses: github/codeql-action/init@v3 - with: - languages: ${{ matrix.language }} - queries: security-and-quality - - # CodeQL will create the database during the compilation - - name: Build - run: | - make BOLOS_SDK=${{ matrix.sdk }} - - - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v3 + name: Call Ledger CodeQL analysis + uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_codeql_checks.yml@v1 + secrets: inherit diff --git a/.github/workflows/python-client.yml b/.github/workflows/python-client.yml index af2b57311..dd528fe07 100644 --- a/.github/workflows/python-client.yml +++ b/.github/workflows/python-client.yml @@ -19,28 +19,18 @@ on: jobs: lint: - name: Linting - runs-on: ubuntu-latest - steps: - - name: Clone - uses: actions/checkout@v4 - - run: pip install flake8 flake8-pyproject - - name: Flake8 lint Python code - run: (cd client && flake8 src/) - - mypy: - name: Type checking - runs-on: ubuntu-latest - steps: - - name: Clone - uses: actions/checkout@v4 - - run: pip install mypy - - name: Mypy type checking - run: (cd client && mypy src/) + name: Call Ledger Python linters + uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_python_checks.yml@v1 + with: + run_linter: flake8 + run_type_check: true + src_directory: src + setup_directory: client + req_directory: client package_and_deploy: name: Build and deploy the Ethereum client Python package - needs: [lint, mypy] + needs: [lint] uses: LedgerHQ/ledger-app-workflows/.github/workflows/reusable_pypi_deployment.yml@v1 with: package_name: ledger_app_clients.ethereum @@ -49,4 +39,4 @@ jobs: jfrog_deployment: false release: false secrets: - pypi_token: ${{ secrets.PYPI_PUBLIC_API_TOKEN }} + pypi_token: ${{ secrets.PYPI_PUBLIC_API_TOKEN }} diff --git a/glyphs/chain_4689_48px.gif b/glyphs/chain_4689_48px.gif index 3dce2761f..8c93aad57 100644 Binary files a/glyphs/chain_4689_48px.gif and b/glyphs/chain_4689_48px.gif differ diff --git a/glyphs/chain_4689_64px.gif b/glyphs/chain_4689_64px.gif index 4757ffb26..c1fc2934c 100644 Binary files a/glyphs/chain_4689_64px.gif and b/glyphs/chain_4689_64px.gif differ diff --git a/icons/apex_app_chain_4689.gif b/icons/apex_app_chain_4689.gif index 3ab9ecc7c..0faa02cf3 100644 Binary files a/icons/apex_app_chain_4689.gif and b/icons/apex_app_chain_4689.gif differ diff --git a/icons/flex_app_chain_4689.gif b/icons/flex_app_chain_4689.gif index bf38c34c7..ba6515836 100644 Binary files a/icons/flex_app_chain_4689.gif and b/icons/flex_app_chain_4689.gif differ diff --git a/icons/nanox_app_chain_4689.gif b/icons/nanox_app_chain_4689.gif index 935290a88..7acaedf35 100644 Binary files a/icons/nanox_app_chain_4689.gif and b/icons/nanox_app_chain_4689.gif differ diff --git a/icons/stax_app_chain_4689.gif b/icons/stax_app_chain_4689.gif index 80bc8916f..03374a076 100644 Binary files a/icons/stax_app_chain_4689.gif and b/icons/stax_app_chain_4689.gif differ diff --git a/src_features/provide_safe_account/cmd_safe_account.c b/src_features/provide_safe_account/cmd_safe_account.c index b62e89a28..14fee3d4f 100644 --- a/src_features/provide_safe_account/cmd_safe_account.c +++ b/src_features/provide_safe_account/cmd_safe_account.c @@ -52,6 +52,10 @@ uint16_t handle_safe_account(uint8_t p1, sw = APDU_RESPONSE_OK; // No error for P1_SAFE_DESCRIPTOR if SAFE_DESC is NULL } break; + default: + PRINTF("Error: Invalid P2 (%u)\n", p2); + sw = APDU_RESPONSE_INVALID_P1_P2; + break; } if (sw != APDU_RESPONSE_OK) { diff --git a/src_features/provide_safe_account/signer_descriptor.c b/src_features/provide_safe_account/signer_descriptor.c index e0ad82b22..7b5466b39 100644 --- a/src_features/provide_safe_account/signer_descriptor.c +++ b/src_features/provide_safe_account/signer_descriptor.c @@ -37,7 +37,7 @@ enum { typedef struct { signers_descriptor_t *signers; - uint8_t addess_count; + uint8_t address_count; uint8_t sig_size; uint8_t *sig; cx_sha256_t hash_ctx; @@ -142,11 +142,11 @@ static bool handle_challenge(const s_tlv_data *data, s_signer_ctx *context) { static bool handle_address(const s_tlv_data *data, s_signer_ctx *context) { CHECK_FIELD_LENGTH("ADDRESS", data->length, ADDRESS_LENGTH); CHECK_EMPTY_BUFFER("ADDRESS", data->value, data->length); - if (context->addess_count >= SAFE_DESC->signers_count) { + if (context->address_count >= SAFE_DESC->signers_count) { PRINTF("Error: Too many addresses in Signer descriptor!\n"); return false; } - COPY_FIELD(context->signers->data[context->addess_count++].address, data); + COPY_FIELD(context->signers->data[context->address_count++].address, data); context->rcv_flags |= SET_BIT(BIT_ADDRESS); return true; } @@ -225,7 +225,7 @@ static void print_signer_info(const s_signer_ctx *context) { PRINTF("****************************************************************************\n"); PRINTF("[SAFE ACCOUNT] - Retrieved Signer Descriptor:\n"); - for (i = 0; i < context->addess_count; i++) { + for (i = 0; i < context->address_count; i++) { PRINTF("[SAFE ACCOUNT] - Address[%d]: %.*h\n", i, ADDRESS_LENGTH, @@ -250,7 +250,7 @@ static bool verify_signer_struct(const s_signer_ctx *context) { PRINTF("Error: Signature verification failed for Signer descriptor!\n"); return false; } - if (context->addess_count < SAFE_DESC->signers_count) { + if (context->address_count < SAFE_DESC->signers_count) { PRINTF("Error: Too few addresses in Signer descriptor!\n"); return false; } @@ -347,7 +347,6 @@ bool handle_signer_tlv_payload(const uint8_t *payload, uint16_t size) { void clear_signer_descriptor(void) { if (SIGNER_DESC.data != NULL) { app_mem_free(SIGNER_DESC.data); - SIGNER_DESC.data = NULL; } explicit_bzero(&SIGNER_DESC, sizeof(SIGNER_DESC)); } diff --git a/src_features/signMessageEIP712/ui_logic.c b/src_features/signMessageEIP712/ui_logic.c index eb30e8638..888840379 100644 --- a/src_features/signMessageEIP712/ui_logic.c +++ b/src_features/signMessageEIP712/ui_logic.c @@ -1227,8 +1227,8 @@ void ui_712_set_trusted_name_requirements(uint8_t type_count, * */ void ui_712_push_pairs(void) { - uint16_t nbPairs = 0; - uint16_t pair = 0; + uint8_t nbPairs = 0; + uint8_t pair = 0; s_ui_712_pair *tmp = NULL; // Initialize the pairs list diff --git a/src_features/signMessageEIP712_common/common_712.c b/src_features/signMessageEIP712_common/common_712.c index a6199d587..4296c8c1c 100644 --- a/src_features/signMessageEIP712_common/common_712.c +++ b/src_features/signMessageEIP712_common/common_712.c @@ -67,6 +67,9 @@ static char *format_hash(const uint8_t *hash, char *buffer, size_t buffer_size, } void eip712_format_hash(uint8_t index) { + if ((g_pairs == NULL) || (g_pairsList == NULL) || (index >= g_pairsList->nbPairs)) { + return; + } g_pairs[index].item = "Domain hash"; g_pairs[index].value = format_hash(tmpCtx.messageSigningContext712.domainHash, strings.tmp.tmp, diff --git a/src_nbgl/ui_sign_712.c b/src_nbgl/ui_sign_712.c index 49448c118..d91e354e4 100644 --- a/src_nbgl/ui_sign_712.c +++ b/src_nbgl/ui_sign_712.c @@ -28,7 +28,9 @@ static void ui_712_start_review(nbgl_operationType_t operationType, // Initialize the finish title string finish_len += strlen(tx_check_str); finish_len += strlen(title_suffix); - ui_buffers_init(0, 0, finish_len); + if (!ui_buffers_init(0, 0, finish_len)) { + return; + } snprintf(g_finishMsg, finish_len, "%s%s", tx_check_str, title_suffix); #ifdef HAVE_TRANSACTION_CHECKS set_tx_simulation_warning();