Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Privacy leakage in asset_transfer.go #69

Open
ghost opened this issue May 19, 2024 · 1 comment
Open

Privacy leakage in asset_transfer.go #69

ghost opened this issue May 19, 2024 · 1 comment

Comments

@ghost
Copy link

ghost commented May 19, 2024

Describe the bug
Privacy leakage in app/asset-transfer-private-data/chaincode-go/chaincode/asset_transfer.go

To Reproduce

  1. Deploy asset_transfer.go, along with the PDC definition.
  2. Invoke the AgreeToTransfer function to write the private data P to the PDC.
  3. Fetch the block and find corresponding transaction.
  4. The private data P can be found in "payload" field

Expected behavior
The private data will be included in the transaction and all peers can access.

Screenshots
The private data is recorded in base64.
image

Desktop (please complete the following information):

  • OS: Ubuntu 22.04
  • Hyperledger Fabric2.4.7

Additional context
leakage occurs in line 213, 289, 102, 308, 316, 445, 459, 528.
@ghost
Copy link
Author

ghost commented May 20, 2024

According to the Docs, the functions that query private data should be read-only.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants