[#4476]: Seed phrase is visible in logs during account recovery

2018-05-28 11:47:31 +02:00 · 2018-05-28 11:47:31 +02:00 · 3b1721dd0d
parent f432bad3c0
commit 3b1721dd0d
2 changed files with 21 additions and 9 deletions
--- a/src/status_im/ui/screens/accounts/recover/events.cljs
+++ b/src/status_im/ui/screens/accounts/recover/events.cljs
@ -1,14 +1,15 @@
 (ns status-im.ui.screens.accounts.recover.events
  (:require
   status-im.ui.screens.accounts.recover.navigation
+   [clojure.string :as string]
   [re-frame.core :as re-frame]
   [status-im.native-module.core :as status]
   [status-im.ui.screens.accounts.events :as accounts-events]
   [status-im.utils.types :as types]
   [status-im.utils.identicon :as identicon]
-   [clojure.string :as string]
   [status-im.utils.handlers :as handlers]
   [status-im.utils.gfycat.core :as gfycat]
+   [status-im.utils.security :as security]
   [status-im.utils.signing-phrase.core :as signing-phrase]
   [status-im.utils.hex :as utils.hex]
   [status-im.constants :as constants]))
@ -17,11 +18,18 @@

 (re-frame/reg-fx
 ::recover-account-fx
- (fn [[passphrase password]]
+ (fn [[masked-passphrase password]]
   (status/recover-account
-    (string/trim passphrase)
+    (security/unmask masked-passphrase)
    password
-    #(re-frame/dispatch [:account-recovered % password]))))
+    (fn [result]
+      ;; here we deserialize result, dissoc mnemonic and serialize the result again
+      ;; because we want to have information about the result printed in logs, but
+      ;; don't want secure data to be printed
+      (let [data (-> (types/json->clj result)
+                     (dissoc :mnemonic)
+                     (types/clj->json))]
+        (re-frame/dispatch [:account-recovered data password]))))))

 ;;;; Handlers

@ -50,5 +58,5 @@

 (handlers/register-handler-fx
 :recover-account
- (fn [_ [_ passphrase password]]
-   {::recover-account-fx [passphrase password]}))
+ (fn [_ [_ masked-passphrase password]]
+   {::recover-account-fx [masked-passphrase password]}))
--- a/src/status_im/ui/screens/accounts/recover/views.cljs
+++ b/src/status_im/ui/screens/accounts/recover/views.cljs
@ -1,6 +1,7 @@
 (ns status-im.ui.screens.accounts.recover.views
  (:require-macros [status-im.utils.views :refer [defview letsubs]])
-  (:require [re-frame.core :as re-frame]
+  (:require [clojure.string :as string]
+            [re-frame.core :as re-frame]
            [reagent.core :as reagent]
            [status-im.ui.components.text-input.view :as text-input]
            [status-im.ui.components.react :as react]
@ -14,7 +15,8 @@
            [status-im.utils.config :as config]
            [status-im.react-native.js-dependencies :as js-dependencies]
            [cljs.spec.alpha :as spec]
-            [status-im.ui.components.common.common :as components.common]))
+            [status-im.ui.components.common.common :as components.common]
+            [status-im.utils.security :as security]))

 (defview passphrase-input [passphrase]
  (letsubs [error [:get-in [:accounts/recover :passphrase-error]]
@ -65,4 +67,6 @@
         {:forward?  true
          :label     (i18n/label :t/sign-in)
          :disabled? (not valid-form?)
-          :on-press  #(re-frame/dispatch [:recover-account passphrase password])}]]])))
+          :on-press  (fn [_]
+                       (let [masked-passphrase (security/mask-data (string/trim passphrase))]
+                         (re-frame/dispatch [:recover-account masked-passphrase password])))}]]])))