solana-studio 0.4.1 → 0.4.2

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 39e8967f873b252f8204b4ff0be0a011b813f3744b2ee9c308b1e73740e9ca2a
-  data.tar.gz: 769171e5fd595cba388702be0e4dd6b1f9f46545451624393543ef329b2cc402
+  metadata.gz: eddaba3ed1477d676bec3f207d9d1fd41614853259b3fb1b6d8606708f461eef
+  data.tar.gz: 3517d316ee585700c03b70c868bd5b3e1225e18f3dd03992e69d3e36d81a3e1e
 SHA512:
-  metadata.gz: '00851cd448aecb996b636f91ab2bf19192a0d64966223a06633b52584c38116ff32f3a163433a50a4299d15a72196426d14e65cb5aee599a0b71a98728f340ab'
-  data.tar.gz: 7fcbc86d1194c63055bf14f7fd3c23f1d117c872e295a9e20557fbf8528f20b88be991ac4daae0d276ac10b790037b98c52315170d8323d1082b2b072ce96136
+  metadata.gz: 8fee45a8591c3c3a8b193aa3a3ab0b719aafedd79ae746e3c3d679c15f83113a3dcc52b1bac34216d4da3502ca3f53dfcc1f12fbc2f159e6df3ca1385d35287a
+  data.tar.gz: a959122852472eb7a5c1172cfe7f6a719ef44ad3f985ed12d548127c798d976964916dba92a47627a43579e2116a0cdbfb5ed4095ccc25bf299db4434fc6c70a

data/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 The format is [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## v0.4.2 (2026-05-19)
+
+Tier-3 fixes from the turf-monster pre-prod opsec audit (OPSEC-017/018/043).
+
+### Changed (breaking)
+- **`Solana::AuthVerifier.verify!` now requires an `expected_host:` keyword argument (OPSEC-018).** The verifier previously matched only the nonce, so a signature a user produced for any other dApp — over a message carrying the same nonce — would satisfy a host app's login. `verify!` now asserts the signed message names `expected_host` as its opening token (SIWS-style `"<host> wants to sign in…"`). Callers must pass `expected_host:` (e.g. `request.host`).
+
+### Fixed (security)
+- **`Solana::Transaction#serialize` / `#serialize_partial` now verify signer count (OPSEC-017).** `serialize` raises unless `@signers.length` equals the number of `is_signer` accounts; `serialize_partial` raises unless local + additional signers cover every required slot. Previously a missing required signer produced a malformed payload, or a zero-filled signature slot in a still-broadcastable half-signed TX.
+- **`Solana::Transaction#serialize_partial` no longer stores signer state in an instance variable (OPSEC-043).** Additional signers are kept in a local, so a `Transaction` shared across threads can't leak signer state between partial-sign flows.
+
+### Tests
+- New `test/auth_verifier_test.rb`; added signer-count + no-instance-state cases to `test/transaction_test.rb`.
+
 ## v0.4.1 (2026-05-17)
 
 Pre-public-release security hardening per `SECURITY-AUDIT-2026-05-17.md`.

data/lib/solana/auth_verifier.rb

@@ -14,6 +14,7 @@ module Solana
   #     nonce_at     = session.delete(:solana_nonce_at)
   #     Solana::AuthVerifier.verify!(
   #       message: ..., signature_b58: ..., pubkey_b58: ...,
+  #       expected_host: request.host,
   #       stored_nonce: stored_nonce, nonce_at: nonce_at
   #     )
   #
@@ -31,8 +32,9 @@ module Solana
     ED25519_SIGNATURE_BYTES = 64
 
     # Verifies that `signature_b58` is a valid Ed25519 signature over
-    # `message` made by `pubkey_b58`, AND that the `Nonce: ...` field in
-    # the message matches `stored_nonce`, AND that the nonce is not stale.
+    # `message` made by `pubkey_b58`, AND that the message is bound to
+    # `expected_host` (its opening token), AND that the `Nonce: ...` field
+    # matches `stored_nonce`, AND that the nonce is not stale.
     #
     # Returns the verified public key (base58 string) on success.
     # Raises Solana::AuthVerifier::VerificationError on any failure.
@@ -40,11 +42,15 @@ module Solana
     # @param message [String] the signed message (must contain `Nonce: <value>`)
     # @param signature_b58 [String] base58-encoded Ed25519 signature
     # @param pubkey_b58 [String] base58-encoded public key
+    # @param expected_host [String] host the signed message must name as its
+    #   opening token — rejects signatures the user made for any other domain
+    #   (OPSEC-018)
     # @param stored_nonce [String, nil] the nonce the host issued + remembers
     # @param nonce_at [Integer, nil] Unix timestamp when the nonce was issued
     # @param max_age [Integer] seconds before a nonce expires (default 300)
-    def self.verify!(message:, signature_b58:, pubkey_b58:, stored_nonce:, nonce_at: nil, max_age: NONCE_MAX_AGE)
+    def self.verify!(message:, signature_b58:, pubkey_b58:, expected_host:, stored_nonce:, nonce_at: nil, max_age: NONCE_MAX_AGE)
       raise VerificationError, "No nonce provided" if stored_nonce.nil? || stored_nonce.empty?
+      raise VerificationError, "No expected_host provided" if expected_host.nil? || expected_host.to_s.empty?
 
       if nonce_at && (Time.now.to_i - nonce_at.to_i) > max_age
         raise VerificationError, "Nonce expired"
@@ -72,6 +78,14 @@ module Solana
         raise VerificationError, "Invalid nonce"
       end
 
+      # OPSEC-018: bind the signature to the host. The signed message must name
+      # the host as its opening token (SIWS-style: "<host> wants to sign in…").
+      # Without this, a signature the user produced for any other dApp — over a
+      # message that happens to carry the same nonce — would satisfy verify!.
+      unless message.start_with?("#{expected_host} ")
+        raise VerificationError, "Message is not bound to host #{expected_host}"
+      end
+
       pubkey_b58
     rescue Ed25519::VerifyError => e
       raise VerificationError, "Signature verification failed: #{e.message}"

data/lib/solana/transaction.rb

@@ -82,6 +82,14 @@ module Solana
       num_readonly_signed = count_readonly_signed(account_keys)
       num_readonly_unsigned = count_readonly_unsigned(account_keys)
 
+      # OPSEC-017: the message header declares num_required_signatures, but we
+      # only write @signers.length signatures. A mismatch produces a malformed
+      # payload — fail loudly here instead of emitting a silently-broken TX.
+      if @signers.length != num_required_signatures
+        raise "Signer count mismatch: #{@signers.length} signer(s) provided, " \
+              "#{num_required_signatures} required by the account list"
+      end
+
       # Build message
       message = build_message(account_keys, num_required_signatures, num_readonly_signed, num_readonly_unsigned)
 
@@ -105,18 +113,27 @@ module Solana
       raise "No signers" if @signers.empty?
       raise "No instructions" if @instructions.empty?
 
-      # Mark additional signers so they appear in the account keys
-      additional_signers.each do |pubkey_bytes|
-        pk = normalize_pubkey(pubkey_bytes)
-        @_additional_signers ||= []
-        @_additional_signers << pk
-      end
+      # OPSEC-043: keep additional signers in a local — never an instance ivar.
+      # A Transaction shared across threads/requests must not leak signer state
+      # between partial-sign flows.
+      normalized_additional = additional_signers.map { |pk| normalize_pubkey(pk) }
 
-      account_keys = collect_account_keys
+      account_keys = collect_account_keys(normalized_additional)
       num_required_signatures = count_required_signatures(account_keys)
       num_readonly_signed = count_readonly_signed(account_keys)
       num_readonly_unsigned = count_readonly_unsigned(account_keys)
 
+      # OPSEC-017: every required signature slot must be covered by a local
+      # signer (signed now) or an additional signer (signs client-side later).
+      # Otherwise a slot is silently zero-filled and the half-signed TX is
+      # still broadcastable.
+      provided = @signers.length + normalized_additional.length
+      if provided != num_required_signatures
+        raise "Signer count mismatch: #{provided} provided " \
+              "(#{@signers.length} local + #{normalized_additional.length} additional), " \
+              "#{num_required_signatures} required by the account list"
+      end
+
       message = build_message(account_keys, num_required_signatures, num_readonly_signed, num_readonly_unsigned)
 
       # Build ordered signature slots matching the account key order
@@ -124,12 +141,10 @@ module Solana
       @signers.each { |s| signer_map[s.public_key_bytes] = s.sign(message) }
 
       signatures = account_keys.select { |_, meta| meta[:is_signer] }.map do |pk, _|
-        signer_map[pk] || ("\x00" * 64).b  # zero placeholder for unsigned slots
+        signer_map[pk] || ("\x00" * 64).b  # zero placeholder for an additional (client-side) signer
       end
 
       compact_u16(signatures.length) + signatures.join.b + message
-    ensure
-      @_additional_signers = nil
     end
 
     def serialize_partial_base64(additional_signers: [])
@@ -151,7 +166,7 @@ module Solana
       end
     end
 
-    def collect_account_keys
+    def collect_account_keys(additional_signers = [])
       keys = {}
 
       # Fee payer (first signer) is always first
@@ -166,11 +181,9 @@ module Solana
       end
 
       # Additional signers (for partial signing — not in @signers but must be marked as signer)
-      if @_additional_signers
-        @_additional_signers.each do |pk|
-          keys[pk] ||= { is_signer: true, is_writable: false }
-          keys[pk][:is_signer] = true
-        end
+      additional_signers.each do |pk|
+        keys[pk] ||= { is_signer: true, is_writable: false }
+        keys[pk][:is_signer] = true
       end
 
       # Instruction accounts

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: solana-studio
 version: !ruby/object:Gem::Version
-  version: 0.4.1
+  version: 0.4.2
 platform: ruby
 authors:
 - Alex McRitchie
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2026-05-18 00:00:00.000000000 Z
+date: 2026-05-20 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ed25519