Merge branch 'fix_search' into 'master'

Remove CS+ attacks from list result. Closes #978 et #959 See merge request !646

Merge branch 'fix_search' into 'master'
8405bcc0 · Benoit Lavenier · def29a0e · 2c4ed271 · 8405bcc0 · 8405bcc0
Commit 8405bcc0 authored Jun 22, 2022 by Benoit Lavenier
--- a/www/js/controllers/wot-controllers.js
+++ b/www/js/controllers/wot-controllers.js
@@ -162,7 +162,7 @@ angular.module('cesium.wot.controllers', ['cesium.services'])
 ;

 function WotLookupController($scope, $state, $q, $timeout, $focus, $location, $ionicPopover, $ionicHistory,
-                             UIUtils, csConfig, csCurrency, csSettings, Device, BMA, csWallet, csWot) {
+                             UIUtils, csConfig, csCurrency, csSettings, Device, BMA, csWallet, csWot, csCrypto) {
  'ngInject';

  var defaultSearchLimit = 10;
@@ -293,10 +293,28 @@ function WotLookupController($scope, $state, $q, $timeout, $focus, $location, $i

    $scope.search.loading = true;
    $scope.search.type = 'text';
+
+    // If checksum is correct, search on simple pubkey
+    let pubkeyWithCk;
+    if (BMA.regexp.PUBKEY_WITH_CHECKSUM.test(text)) {
+      console.debug("[wot] Validating pubkey checksum... ");
+      let matches = BMA.regexp.PUBKEY_WITH_CHECKSUM.exec(text);
+      console.log(matches)
+      pubkey = matches[1];
+      let checksum = matches[2];
+      let expectedChecksum = csCrypto.util.pkChecksum(pubkey);
+      if (checksum === expectedChecksum) {
+        console.debug("[wot] checksum {" + checksum + "} valid for pubkey {" + pubkey + "}")
+        text = pubkey
+        pubkeyWithCk = pubkey + ':' + checksum
+      }
+    }
+
    return csWot.search(text)
      .then(function(idties){
        if ($scope.search.type !== 'text') return; // could have change
-        if ($scope.search.text.trim() !== text) return; // search text has changed before received response
+        originText = $scope.search.text.trim();
+        if (originText !== text && originText !== pubkeyWithCk) return; // search text has changed before received response

        if ((!idties || !idties.length) && (BMA.regexp.PUBKEY.test(text) || BMA.regexp.PUBKEY_WITH_CHECKSUM.test(text))) {
          return BMA.uri.parse(text)

--- a/www/js/services/wot-services.js
+++ b/www/js/services/wot-services.js
@@ -856,6 +856,15 @@ angular.module('cesium.wot.services', ['ngApi', 'cesium.bma.services', 'cesium.c
          return api.data.raisePromise.search(text, idties, 'pubkey')
            .then(function() {

+              // remove CS+ ids that match pubkey regex (considered attacks) - fix #959
+              idties = idties.filter(function(idty) {
+                if (BMA.regexp.PUBKEY.test(text) || BMA.regexp.PUBKEY_WITH_CHECKSUM.test(text)) {
+                  text_pk = text.split(':')[0]
+                  return idty.pubkey == text_pk
+                }
+                return true;
+              })
+
              // Make sure to add uid to new results - fix #488
              if (idties.length > lookupResultCount) {
                var idtiesWithoutUid = _.filter(idties, function(idty) {