hd-wallet-wasm 0.3.2 → 0.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/hd-wallet.js +1 -1
  2. package/dist/hd-wallet.wasm +0 -0
  3. package/package.json +1 -1
  4. package/src/index.mjs +43 -0
package/dist/hd-wallet.wasm CHANGED
Binary file
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "hd-wallet-wasm",
3
- "version": "0.3.2",
3
+ "version": "0.3.3",
4
4
  "description": "Comprehensive HD Wallet implementation in WebAssembly - BIP-32/39/44, multi-curve, multi-chain support",
5
5
  "type": "module",
6
6
  "main": "src/index.mjs",
package/src/index.mjs CHANGED
@@ -321,6 +321,11 @@ class HDKey {
321
321
  this._path = path;
322
322
  /** @private */
323
323
  this._destroyed = false;
324
+
325
+ // SECURITY FIX [VULN-14]: Register for GC-based cleanup as safety net
326
+ if (_keyRegistry) {
327
+ _keyRegistry.register(this, { wasm, handle }, this);
328
+ }
324
329
  }
325
330
 
326
331
  /**
@@ -398,6 +403,8 @@ class HDKey {
398
403
  checkResult(result);
399
404
  return readBytes(this._wasm, ptr, 32);
400
405
  } finally {
406
+ // SECURITY FIX [VULN-04]: Wipe private key from WASM heap before freeing
407
+ this._wasm._hd_secure_wipe(ptr, 32);
401
408
  this._wasm._hd_dealloc(ptr);
402
409
  }
403
410
  }
@@ -546,6 +553,8 @@ class HDKey {
546
553
  checkResult(result);
547
554
  return readString(this._wasm, ptr);
548
555
  } finally {
556
+ // SECURITY FIX [VULN-05]: Wipe xprv (contains private key) from WASM heap
557
+ this._wasm._hd_secure_wipe(ptr, 128);
549
558
  this._wasm._hd_dealloc(ptr);
550
559
  }
551
560
  }
@@ -575,6 +584,10 @@ class HDKey {
575
584
  this._wasm._hd_key_destroy(this._handle);
576
585
  this._handle = null;
577
586
  this._destroyed = true;
587
+ // Unregister from FinalizationRegistry since we've cleaned up explicitly
588
+ if (_keyRegistry) {
589
+ _keyRegistry.unregister(this);
590
+ }
578
591
  }
579
592
  }
580
593
 
@@ -592,6 +605,33 @@ class HDKey {
592
605
  }
593
606
  }
594
607
 
608
+ // =============================================================================
609
+ // SECURITY FIX [VULN-14]: FinalizationRegistry to auto-wipe leaked HDKey objects
610
+ // =============================================================================
611
+
612
+ /**
613
+ * Registry that wipes native key handles when HDKey JS objects are garbage collected
614
+ * without the user calling .wipe(). This is a safety net, not a replacement for
615
+ * explicit cleanup — users should still call .wipe() when done.
616
+ */
617
+ let _keyRegistry = null;
618
+ try {
619
+ if (typeof FinalizationRegistry !== 'undefined') {
620
+ _keyRegistry = new FinalizationRegistry(({ wasm, handle }) => {
621
+ if (handle) {
622
+ try {
623
+ wasm._hd_key_wipe(handle);
624
+ wasm._hd_key_destroy(handle);
625
+ } catch (e) {
626
+ // Ignore errors during GC cleanup
627
+ }
628
+ }
629
+ });
630
+ }
631
+ } catch (e) {
632
+ // FinalizationRegistry not available in this environment
633
+ }
634
+
595
635
  // =============================================================================
596
636
  // Module Initialization
597
637
  // =============================================================================
@@ -685,6 +725,9 @@ function createModule(wasm) {
685
725
  return readBytes(wasm, seedPtr, 64);
686
726
  } finally {
687
727
  wasm._hd_secure_wipe(seedPtr, 64);
728
+ // SECURITY FIX [VULN-07]: Wipe mnemonic and passphrase from WASM heap
729
+ wasm._hd_secure_wipe(mnemonicPtr, wasm.lengthBytesUTF8(mnemonicStr) + 1);
730
+ wasm._hd_secure_wipe(passphrasePtr, wasm.lengthBytesUTF8(passphrase) + 1);
688
731
  wasm._hd_dealloc(mnemonicPtr);
689
732
  wasm._hd_dealloc(passphrasePtr);
690
733
  wasm._hd_dealloc(seedPtr);