Commit 704c359
committed
fix: harden bunker, key storage, permissions, and sync (audit pass)
Findings from a focused security/correctness audit of the touched subsystems:
- Bunker exposure (critical): gate bunkerServer.start/stop behind
isExtensionSender. They were callable from any web page via
window.nostr.nip46.startBunker(), which returned a secret-bearing
bunker:// string granting unlimited remote signing of the user's key.
- Bunker connect: fail closed when the server has no secret, instead of
authenticating any client.
- savePrivateKey (critical): when encryption is enabled but the session is
locked (no session key), throw instead of silently persisting the key as
plaintext into a vault the user believes is encrypted.
- Stale session-key cache (critical): getPlaintextPrivKey now verifies the
index-cached key derives to the profile's pubkey before use. Deleting a
profile shifts indices without updating the index-keyed cache, so a sign
could otherwise use a different identity's key.
- setPermission: use index == null (not !index) so per-site grants for
profile 0 target profile 0, not whatever profile is active.
- content.js permission sheet: always reply (catch errors) so a failed sheet
can't hang the background ask() until its 10s timeout silently denies.
- Sync version compare: numeric semver compare so 1.10.0 isn't treated as
older than 1.9.0 by string comparison.
Tests: add compareSemver coverage (+3).1 parent 7d18b29 commit 704c359
19 files changed
Lines changed: 172 additions & 38 deletions
File tree
- distros/safari
- api-keys
- event_history
- nostr-keys
- permission
- profiles
- vault
- src
- utilities
- test
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
374 | 374 | | |
375 | 375 | | |
376 | 376 | | |
| 377 | + | |
| 378 | + | |
| 379 | + | |
| 380 | + | |
| 381 | + | |
377 | 382 | | |
378 | 383 | | |
379 | 384 | | |
| |||
1601 | 1606 | | |
1602 | 1607 | | |
1603 | 1608 | | |
1604 | | - | |
| 1609 | + | |
1605 | 1610 | | |
1606 | | - | |
| 1611 | + | |
| 1612 | + | |
| 1613 | + | |
| 1614 | + | |
| 1615 | + | |
| 1616 | + | |
| 1617 | + | |
| 1618 | + | |
1607 | 1619 | | |
1608 | 1620 | | |
1609 | 1621 | | |
| |||
1662 | 1674 | | |
1663 | 1675 | | |
1664 | 1676 | | |
1665 | | - | |
| 1677 | + | |
| 1678 | + | |
| 1679 | + | |
| 1680 | + | |
| 1681 | + | |
| 1682 | + | |
| 1683 | + | |
| 1684 | + | |
| 1685 | + | |
| 1686 | + | |
| 1687 | + | |
| 1688 | + | |
| 1689 | + | |
1666 | 1690 | | |
1667 | 1691 | | |
1668 | 1692 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
353 | 353 | | |
354 | 354 | | |
355 | 355 | | |
356 | | - | |
357 | | - | |
358 | | - | |
| 356 | + | |
| 357 | + | |
| 358 | + | |
| 359 | + | |
| 360 | + | |
| 361 | + | |
| 362 | + | |
| 363 | + | |
359 | 364 | | |
360 | 365 | | |
361 | 366 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
0 commit comments