lhartikk / naivechain Goto Github PK

Hi Lauri,
I didn't understand how to execute this part (on PowerShell):

Quick start
(set up two connected nodes and mine 1 block)

npm install

HTTP_PORT=3001 P2P_PORT=6001 npm start

HTTP_PORT=3002 P2P_PORT=6002 PEERS=ws://localhost:6001 npm start

Could you give me some informations more?

Thank you.

You can pass the http server app to the ws server and have it all work under 1 port. Is it purposely made to use 2 ports and why?

On second thought, why are websockets used at all? You can query the network via http, this will make the program even simpler and with less code which as I see is the main concern in this repo?

Regular Expression Denial of Service (ReDoS)
Vulnerable module: mime
Introduced through: [email protected]
Detailed paths
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Overview
mime is a comprehensive, compact MIME type module.

Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS). It uses regex the following regex /.*[./\]/ in its lookup, which can cause a slowdown of 2 seconds for 50k characters.

Hello.
I can't know how to execute quick start..
Command is not working..( I downloaded node js and npm)
please help me..

In this example, I'm confused about what happens when you write a message to a peer in the broadcast function. Is there code behind the ports that handles the message? Or in this example, does the message just fall off?

From the readme we can learn:

This project is an attempt to provide as concise and simple implementation of a blockchain as possible.

But my concern is if it is Blockchain at all? Let's compare it with definition I have just proposed:

IoT in the Context of Blockchain Main Technology Features

I have faced this question writing my readme.md for the naivechain implementation in C#. It is available here: NBlockchain

it keeps giving me a 403 when I send a packet to the server

node2_1  | Received message{"type":2,"data":"[{\"index\":0,\"previousHash\":\"0\",\"timestamp\":1465154705,\"data\":\"my genesis block!!\",\"hash\":\"816534932c2b7154836da6afc367695e6337db8a921823784c14378abed4f7d7\"}]"}
node2_1  | received blockchain is not longer than current blockchain. Do nothing
node3_1  | Received message{"type":2,"data":"[{\"index\":0,\"previousHash\":\"0\",\"timestamp\":1465154705,\"data\":\"my genesis block!!\",\"hash\":\"816534932c2b7154836da6afc367695e6337db8a921823784c14378abed4f7d7\"}]"}
node3_1  | received blockchain is not longer than current blockchain. Do nothing

I keep having this message when running the project, can anyone please exaplain me how to fix it?

Here is what happens when I try:

$ docker-compose up
ERROR: In file './docker-compose.yml' service 'version' doesn't have any configuration options. All top level keys in your docker-compose.yml must map to a dictionary of configuration options.

I'm running Ubuntu 16.04 Linux, by the way. My docker-compose package is at version 1.5.2-1.

Trying this scenario:
up node1
up node2
up node3
Pushing some block(s)...
stop node1, receiving "connection failed to peer: ws://node1:6001" on node2
stop node2, receiving "connection failed to peer: ws://node2:6001" on node3
up node1, here node1 doesn't receive chain from node3, so chain is lost on node1
up node2, here node1 doesn't receive chain from node3, so chain is lost on node2
So here, chain is totally lost.

naivechain/main.js:11
class Block {
^^^^^
SyntaxError: Unexpected reserved word
at Module._compile (module.js:439:25)
at Object.Module._extensions..js (module.js:474:10)
at Module.load (module.js:356:32)
at Function.Module._load (module.js:312:12)
at Function.Module.runMain (module.js:497:10)
at startup (node.js:119:16)
at node.js:906:3

npm ERR! [email protected] start: node main.js
npm ERR! Exit status 8
npm ERR!
npm ERR! Failed at the [email protected] start script.
npm ERR! This is most likely a problem with the naivechain package,
npm ERR! not with npm itself.
npm ERR! Tell the author that this fails on your system:
npm ERR! node main.js
npm ERR! You can get their info via:
npm ERR! npm owner ls naivechain
npm ERR! There is likely additional logging output above.
npm ERR! System Darwin 15.6.0
npm ERR! command "node" "/usr/local/bin/npm" "start"
npm ERR! cwd /naivechain
npm ERR! node -v v0.10.28
npm ERR! npm -v 1.4.9
npm ERR! code ELIFECYCLE
npm ERR!
npm ERR! Additional logging details can be found in:
npm ERR! naivechain/npm-debug.log
npm ERR! not ok code 0

Hi,

Blockhain is a storage/database (which is using only some type of datas like transactions, logs, activity’s...).

I was researching this question for a long time. You code is simple. So I understand exactly how blockchain saves new datas up on old one...

But I have a question... I will be happy if you can help me here...

Why people says that it is difficult to manipulate the old data? A hacker can change the old data exactly like the other RMDS databases.

We put the hash of the older block to new block. But the "hash" is only a string of the older block. So if someone will change the old block-data, no one will notice it.

Let say we have votes. We vote two government A and B. At the end of the day we have on blockhain:

Jack + A + hash0 + timestamp0
Maria + B + hash1 + timestamp1
Stephan + A + hash2 + timestamp2
Suzanna + A + hash3 + timestamp3
Tom + A + hash4 + timestamp4

Let say a hacker changed Stephan vode as B. So we will not notice that someone changed the vote (data). Because no one will recalculate every time timestamp3 (because) which is already added to blockhain.

I wanna tell that timestamp3 is calculation only once (when the new block will create). That's the problem...

Blockhain is good when it is distributed. But alone it is nothing. We can not calculate every hour all the blocks again and again. After a while (when the data will be more than terabytes) to re-calculate all blocks will be impossible/expensive.

Am I wrong?

this is wrong sentence. i was writing something different.
If blockhain is good when it is distributed why companies started to use it internally?

Thank you

The function getHash() is not dependent on timestamp. Infact, it is only giving the result on basis of the first argument passed to it that too if it is a string. You can verify the same by creating two block chains. The genesis block in both of them will have different timestamps however the hash value is same. This can be corrected by giving a single argument i.e. concatenation of all the arguments in string data type.

Anyone can help me, I need to get an specific block to see the info hashed in it.
Thanls

Prototype Override Protection Bypass
Vulnerable module: qs
Introduced through: [email protected]
Detailed paths
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Overview
qs is a querystring parser that supports nesting and arrays, with a depth limit.

By default qs protects against attacks that attempt to overwrite an object's existing prototype properties, such as toString(), hasOwnProperty(),etc.

From qs documentation:

By default parameters that would overwrite properties on the object prototype are ignored, if you wish to keep the data from those fields either use plainObjects as mentioned above, or set allowPrototypes to true which will allow user input to overwrite those properties. WARNING It is generally a bad idea to enable this option as it can cause problems when attempting to use the properties that have been overwritten. Always be careful with this option.

Overwriting these properties can impact application logic, potentially allowing attackers to work around security controls, modify data, make the application unstable and more.

In versions of the package affected by this vulnerability, it is possible to circumvent this protection and overwrite prototype properties and functions by prefixing the name of the parameter with [ or ]. e.g. qs.parse("]=toString") will return {toString = true}, as a result, calling toString() on the object will throw an exception.

Example:

qs.parse('toString=foo', { allowPrototypes: false })
// {}

qs.parse("]=toString", { allowPrototypes: false })
// {toString = true} <== prototype overwritten

Regular Expression Denial of Service (DoS)
Vulnerable module: negotiator
Introduced through: [email protected]
Detailed paths
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Overview
negotiator is an HTTP content negotiator for Node.js.

Affected versions of this package are vulnerable to Regular Expression Denial of Service (DoS) when parsing Accept-Language http header.

Regular Expression Denial of Service (ReDoS)
Vulnerable module: fresh
Introduced through: [email protected]
Detailed paths
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Introduced through: naivechain@lhartikk/naivechain#dfd2481e7158f72e54fba4ce0bd2f48d0a44945e › [email protected] › [email protected] › [email protected] › [email protected]
Remediation: Upgrade to [email protected].
Overview
fresh is HTTP response freshness testing.

Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks. A Regular Expression (/ *, */) was used for parsing HTTP headers and take about 2 seconds matching time for 50k characters.

What will be if “bad” node will generate long fake blockchain from genesis and spread it to “good” nodes?

Will blockchain be replaced to fake one in the “good” nodes?

Can we evade this by checking if the longest blockchain prefixed by our current blockchain?

Hi. I'm not familiar with JavaScript, so I hope I didn't miss something.

At the method handleBlockchainResponse, the default behaviour for a chain longer than the one of the user is invoquing replaceChain, which just takes the new one without checking if it extends the original one. By this, the blockchain can be tampered by anyone who knows the actual size of the current chain.

I know you want to keep the code simple, but I think this may be confusing for the educational purposes.

My suggestion is modifying the method isValidChain so it takes a subchain and a pseudo-genesis block and be more generic. That way you could evaluate a whole blockchain from the Genesis Block or just the part of the received one that comes after the latestBlockHeld (if the position latestBlockHeld.index of the received chain contains latestBlockHeld, it ensures the previous ones with its hash, right?). Then you can add a protection with it to replaceChain.

I would do a merge request myself, but again, I dont speak JavaScript.

Created 2 nodes,
node1 has 41 blocks created using mineBlock API
node2 has only genesis block
when node 2 is connected to peer node1, it gives following error and fails to replace the blockchain

blockchain possibly behind. We got: 0 Peer got: 41
Received blockchain is longer than current blockchain
Received blockchain invalid

The error is likely to be because of the first condition in isValidChain when called from replacechain.

var isValidChain = (blockchainToValidate) => {
    if (JSON.stringify(blockchainToValidate[0]) !== JSON.stringify(getGenesisBlock())) {
        return false;

Performing a JSON.stringify on an object will not always give the same value as objects are unordered.

Hey @lhartikk I really appreciate the project but could you help me how I can easily obtain the average time of adding a block to the blockchain? Thank you very much in advance)

My system info is- Windows 10 64-bit.
I am getting multiple errors i don't know what to do. I tried the ibm blockchain ibm.com/developerworks/library/j-chaincode-for-java-developers/index.html code also but it also caused a lot of errors.
One of the errors i am getting is - "received blockchain is not longer than received blockchain. Do nothing" upon running docker-compose up.
Here is the screenshot of my code errors.
1st-https://imgur.com/a/N0yzU
2nd-https://imgur.com/a/9BMtu

I am getting error on curl commands, even though i have installed curl to run on windows.
Any help is appreciated.

Hi,

So I spinned it up and added 2 pears and connected them with the initial one. I added 2 blocks one the first peer.

When I try to see if this block was picked up by other peers, it says Upgrade Required

MacBook-Pro:naivechain akshay$ curl http://localhost:6001/mineBlock
Upgrade RequiredMacBook-Pro:naivechain akshay$

What needs to be done?

I run this project on Ubuntu 16.04 and npm version is 3.5.2
when run
docker-compose up
it says 'peervote' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
could someone help me?thank you!

Instead of blindly copying the usual Proof-of-Work implementation, I vaguely suggest taking a different path.

Where are the inputs and outputs? To send and retrieve ?