This repository was archived by the owner on Mar 5, 2025. It is now read-only.
This repository was archived by the owner on Mar 5, 2025. It is now read-only.
No bounds on key length in method privateKeyToAccount() #2928
Description
Description
web3.eth.accounts.privateKeyToAccount() doesn't check for the input string length. Neither does it check for
Expected behavior
Calling const my_account = await web3.eth.accounts.privateKeyToAccount(<Really Long String>) should throw an error pointing out that the string is too long for a typical Ethereum private key.
Actual behavior
No error is thrown. console.log(my_account.privateKey) prints out the huge string.
Steps to reproduce the behavior
const Web3 = require('web3')
async function convertKey() {
const web3 = new Web3("http://localhost:8545")
const account = await web3.eth.accounts.privateKeyToAccount(<REALLY LONG HEX STRING>)
console.log(account.privateKey)
}
convertKey()Save it as .js file and run it using node.
Additional
The problem seems to be in the eth-lib npm package. The fromPrivate method does not check for the key length. Also, it does not check if the first two characters are '0x', it just slices out the first two characters.
Versions
- web3.js: v1.0.0-beta.55
- nodejs: v12.1.0
- browser: Not used
- ethereum node: Not used