fix: vulnerability in elliptic library (#268)

* fix(security): update patch version of elliptic, which adds a single validation check * fix: test against a valid, but wrong signature, not an invalid signature * fix: update bn.js to latest 4.x for browser compatibility
dashpay · Aug 22, 2022 · 1fa89c5 · 1fa89c5
1 parent 78971af
commit 1fa89c5
Show file tree

Hide file tree

Showing 3 changed files with 77 additions and 56 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -124,9 +124,9 @@
     "@types/node": "^12.12.47",
     "bloom-filter": "^0.2.0",
     "bls-signatures": "^0.2.5",
-    "bn.js": "=4.11.8",
+    "bn.js": "^4.12.0",
     "bs58": "=4.0.1",
-    "elliptic": "6.5.3",
+    "elliptic": "^6.5.4",
     "eslint-config-prettier": "^8.3.0",
     "inherits": "=2.0.1",
     "lodash": "^4.17.20",

diff --git a/test/crypto/ecdsa.js b/test/crypto/ecdsa.js
@@ -323,10 +323,13 @@ describe('ECDSA', function () {
         ecdsa.signRandomK();
         ecdsa.verify().verified.should.equal(true);
       });
-      it('should verify a valid signature, and unverify an invalid signature', function () {
+      it('should verify a valid signature', function () {
         var sig = ECDSA.sign(ecdsa.hashbuf, ecdsa.privkey);
         ECDSA.verify(ecdsa.hashbuf, sig, ecdsa.pubkey).should.equal(true);
-        var fakesig = new Signature(sig.r.add(new BN(1)), sig.s);
+      });
+      it('should not verify an invalid signature', function () {
+        var fakehashbuf = Hash.sha256(Buffer.from('some other data'));
+        var fakesig = ECDSA.sign(fakehashbuf, ecdsa.privkey);
         ECDSA.verify(ecdsa.hashbuf, fakesig, ecdsa.pubkey).should.equal(false);
       });
       it('should work with big and little endian', function () {