Skip to content

App hardening and Zemu test environment updates#235

Merged
chcmedeiros merged 11 commits intomainfrom
improvements
Apr 17, 2026
Merged

App hardening and Zemu test environment updates#235
chcmedeiros merged 11 commits intomainfrom
improvements

Conversation

@chcmedeiros
Copy link
Copy Markdown
Collaborator

@chcmedeiros chcmedeiros commented Apr 16, 2026
edited
Loading

Summary

A batch of correctness and robustness improvements across the app and its host test environment:

  • APDU dispatcher: reject incoming APDUs while a user review is pending, so review-time state cannot be mutated between rendering and approval.
  • HD path validation: require the account index to be hardened on both the consensus-side (5-element default) and EVM-side derivation paths, matching the ADR-0008 invariant already enforced for 3-element paths. Add bounds guards to the path-extraction helpers.
  • CBOR parser: require RFC 8949 canonical encoding plus unique map keys; require the parse to consume the full buffer before returning; reject embedded NUL bytes in the governance upgrade handler field; bound commission rate / bound / runtime-token array lengths at parse time.
  • Display: correct the off-by-one in tx_getItem's display-index guard; tighten the colon-separator write bound in the inner-field renderer.
  • Crypto: signal DER→RSV conversion failures explicitly so cleanup runs and the caller observes a clear error code.
  • Rust FFI: add null-pointer guards at each extern \"C\" entry point.

@chcmedeiros
Check for trailing data in CBOR parser and update deps
e2f3ace 
Ensure the parser reaches the end of the buffer after processing the root CBOR map. This prevents unverified data from being included in the signature hash without being displayed to the user.
@chcmedeiros
Add bounds checks for array lengths in CBOR parser
90e3688 
Ensure that the number of rates, bounds, and tokens does not exceed predefined maximums during parsing to prevent unexpected behavior.
@chcmedeiros
Enforce hardened account index in HD paths
de0b719 
Require the account index (BIP44 component 2) to be hardened for both consensus and EVM-side paths. This prevents a potential silent address-enumeration primitive where a host could request addresses or signatures under non-BIP44 accounts without user confirmation.
@chcmedeiros
Prevent APDU re-entrancy during user review
94621c5 
Introduce a review-pending flag to gate incoming APDUs while a user review is active. This prevents concurrent APDUs (particularly over BLE) from mutating shared state like HD paths or buffers before a transaction is signed or rejected. Additionally, add bounds checks to path extraction functions to prevent potential buffer underflows.
@chcmedeiros
Enforce canonical CBOR and map-key uniqueness
0177675 
Update the parser to require RFC 8949 canonical format and unique map keys. This ensures that non-canonical or duplicate-key inputs—which the chain-side serializer does not produce—are rejected before they can cause a discrepancy between the displayed transaction and the signed data.
@chcmedeiros
Fix off-by-one error in transaction item bounds check
84cf047 
Update the validation logic in tx_getItem to reject a display index equal to the total number of items. Because item indices are zero-based, an index equal to the item count is out of bounds.
@chcmedeiros
Fix potential buffer overflow when printing inner fields
01061ec 
Correct the size parameter in snprintf to bound the write against the remaining buffer space. Using the total buffer size instead of the remaining capacity could allow a write to spill past the end of the stack buffer as the offset increases.
@chcmedeiros
Strengthen security across FFI boundaries and transaction parsing
938e387 
Add NULL guards at the Rust FFI boundary to prevent undefined behavior when creating slices from raw pointers.

Reject embedded NUL bytes in transaction handler fields to ensure the user-visible text matches the signed payload, preventing potential discrepancies during review.

Ensure cryptographic error paths explicitly signal failure to trigger proper memory zeroization and prevent returning uninitialized signatures.
@chcmedeiros
Update Zemu testing environment and dependencies
9ab5f4b 
Upgrade @zondax/zemu, Jest, and other development dependencies.

Update the Jest and TypeScript configurations to support ESM-to-CJS transformation for specific packages like `get-port` and ensure compatibility with the updated test runner. Additionally, refresh Zemu snapshots to align with the new dependency versions.
@chcmedeiros
Address clang-tidy and clang-format lint findings
012f4bf 
Add explicit parentheses around multiplication operands in
stakingAmendCommissionSchedule display arithmetic so the
`readability-math-missing-parentheses` check passes.

Replace a stray `rlp_ok` comparison in `readBigInt` with the
matching `parser_error_t` value `parser_ok`, fixing the
`clang-diagnostic-enum-compare` warning. The other two
`parse_field` callers in the same file already use `parser_ok`.

Reformat the CBOR canonical-validation call in `_read` to a
single line per the project `.clang-format` column limit.
@chcmedeiros chcmedeiros requested a review from abenso April 17, 2026 15:25
@chcmedeiros chcmedeiros merged commit ea855a6 into main Apr 17, 2026
49 of 70 checks passed
@chcmedeiros chcmedeiros deleted the improvements branch April 17, 2026 16:10
tdejoigny-ledger added a commit to LedgerHQ/app-oasis that referenced this pull request Apr 22, 2026
@tdejoigny-ledger
Merge pull request #28 from Zondax/main (B2CA-2653)
13b7677 
App hardening and Zemu test environment updates (Zondax#235)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@abenso abenso abenso approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chcmedeiros @abenso