m/metamask-extension
1
0
Fork 0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-10-23 03:36:18 +02:00
Code
55d8ec0572
metamask-extension/test/e2e/tests/phishing-detection.spec.js

166 lines
5.6 KiB
JavaScript
Raw Normal View History

E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
const { strict: assert } = require('assert');
const { convertToHexValue, withFixtures } = require('../helpers');
E2e test fixtures (#16061) * remove state.json files * move file * Update Readme * Create fixture builder * load test fixture * remove redundant method * update snap tests * update stats tests * update extension tests * update extension tests * Update fixture data * snap test dapp connection * Update fixture data * add onboarding fixture * use onboarding fixture * reuse import account vault * remove unnecessary use of class * use fixture builder in new tests * switch to function * update default fixture * update default fixture * update test * update 1559 test fixttures * update 1559 test fixtures * update 1559 test fixtures * dismiss 3box whats new * remove redundant code * move docs * remove unused code * token detection * use default timeout * remove redundant code * Update fixture builder hide `Protect your funds` dialog remove browser environment remove default network details hide dismiss seed backup reminder recursively merges fixture data * add token to tokencontroller * remove network details * add missing identities to preference controller * remove duplicate properties * update bip-32 to use fixturebuilder * alphabetise snap permissions * update get snaps to use fixturebuilder * Update test-snap-bip-32.spec.js wait for window * add popular network state * update test * lint
2022-10-28 10:42:12 +02:00
const FixtureBuilder = require('../fixture-builder');
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
Bump controllers v30.0.2 (#14906) * bump @metamask/controllers to v30.0.2 and adapt
2022-07-18 16:43:30 +02:00
const PHISHFORT_CDN_URL =
Updating controller dependency (#16033) * Updating controller dependency * fix * fix * fix * fix * fixes * Lavamoat auto * Update URLs for phishing detection testcase * update lavamoat files * call phishingController.test synchronously again * bump @metamask/controllers to v32.0.1 * lint * update policy files * bump controllers version again * modify update phishing list strategy * revert back to use isOutOfDate, but without blocking substream * possible way to fix e2e tests? * enable testing * Remove promise return from setupController in background.js, as it is no longer used * Ensure updatePhishingLists is called in MM contrller constructer, so that phishing lists are updated right away Co-authored-by: seaona <mariona@gmx.es> Co-authored-by: Alex <adonesky@gmail.com> Co-authored-by: Dan Miller <danjm.com@gmail.com>
2022-10-25 06:54:02 +02:00
'https://static.metafi.codefi.network/api/v1/lists/phishfort_hotlist.json';
Bump controllers v30.0.2 (#14906) * bump @metamask/controllers to v30.0.2 and adapt
2022-07-18 16:43:30 +02:00
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
describe('Phishing Detection', function () {
E2e improve mocking (#13841) * improve mocking * improve mocking * Unnecessary await
2022-03-07 20:23:04 +01:00
async function mockPhishingDetection(mockServer) {
await mockServer
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
.forGet(
Updating controller dependency (#16033) * Updating controller dependency * fix * fix * fix * fix * fixes * Lavamoat auto * Update URLs for phishing detection testcase * update lavamoat files * call phishingController.test synchronously again * bump @metamask/controllers to v32.0.1 * lint * update policy files * bump controllers version again * modify update phishing list strategy * revert back to use isOutOfDate, but without blocking substream * possible way to fix e2e tests? * enable testing * Remove promise return from setupController in background.js, as it is no longer used * Ensure updatePhishingLists is called in MM contrller constructer, so that phishing lists are updated right away Co-authored-by: seaona <mariona@gmx.es> Co-authored-by: Alex <adonesky@gmail.com> Co-authored-by: Dan Miller <danjm.com@gmail.com>
2022-10-25 06:54:02 +02:00
'https://static.metafi.codefi.network/api/v1/lists/eth_phishing_detect_config.json',
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
)
.thenCallback(() => {
return {
statusCode: 200,
json: {
version: 2,
tolerance: 2,
fuzzylist: [],
whitelist: [],
Use externally hosted phishing warning page An externally hosted phishing warning page is now used rather than the built-in phishing warning page.The phishing page warning URL is set via configuration file or environment variable. The default URL is either the expected production URL or `http://localhost:9999/` for e2e testing environments. The new external phishing page includes a design change when it is loaded within an iframe. In that case it now shows a condensed message, and prompts the user to open the full warning page in a new tab to see more details or bypass the warning. This is to prevent a clickjacking attack from safelisting a site without user consent. The new external phishing page also includes a simple caching service worker to ensure it continues to work offline (or if our hosting goes offline), as long as the user has successfully loaded the page at least once. We also load the page temporarily during the extension startup process to trigger the service worker installation. The old phishing page and all related lines have been removed. The property `web_accessible_resources` has also been removed from the manifest. The only entry apart from the phishing page was `inpage.js`, and we don't need that to be web accessible anymore because we inject the script inline into each page rather than loading the file directly. New e2e tests have been added to cover more phishing warning page functionality, including the "safelist" action and the "iframe" case.
2022-05-06 00:28:48 +02:00
blacklist: ['127.0.0.1'],
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
},
};
});
}
Bump controllers v30.0.2 (#14906) * bump @metamask/controllers to v30.0.2 and adapt
2022-07-18 16:43:30 +02:00
async function mockPhishfortPhishingDetection(mockServer) {
await mockServer.forGet(PHISHFORT_CDN_URL).thenCallback(() => {
return {
statusCode: 200,
json: ['127.0.0.1'],
};
});
}
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
const ganacheOptions = {
accounts: [
{
secretKey:
'0x7C9529A67102755B7E6102D6D950AC5D5863C98713805CEC576B945B15B71EAC',
balance: convertToHexValue(25000000000000000000),
},
],
};
Use externally hosted phishing warning page An externally hosted phishing warning page is now used rather than the built-in phishing warning page.The phishing page warning URL is set via configuration file or environment variable. The default URL is either the expected production URL or `http://localhost:9999/` for e2e testing environments. The new external phishing page includes a design change when it is loaded within an iframe. In that case it now shows a condensed message, and prompts the user to open the full warning page in a new tab to see more details or bypass the warning. This is to prevent a clickjacking attack from safelisting a site without user consent. The new external phishing page also includes a simple caching service worker to ensure it continues to work offline (or if our hosting goes offline), as long as the user has successfully loaded the page at least once. We also load the page temporarily during the extension startup process to trigger the service worker installation. The old phishing page and all related lines have been removed. The property `web_accessible_resources` has also been removed from the manifest. The only entry apart from the phishing page was `inpage.js`, and we don't need that to be web accessible anymore because we inject the script inline into each page rather than loading the file directly. New e2e tests have been added to cover more phishing warning page functionality, including the "safelist" action and the "iframe" case.
2022-05-06 00:28:48 +02:00
it('should display the MetaMask Phishing Detection page and take the user to the blocked page if they continue', async function () {
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
await withFixtures(
{
E2e test fixtures (#16061) * remove state.json files * move file * Update Readme * Create fixture builder * load test fixture * remove redundant method * update snap tests * update stats tests * update extension tests * update extension tests * Update fixture data * snap test dapp connection * Update fixture data * add onboarding fixture * use onboarding fixture * reuse import account vault * remove unnecessary use of class * use fixture builder in new tests * switch to function * update default fixture * update default fixture * update test * update 1559 test fixttures * update 1559 test fixtures * update 1559 test fixtures * dismiss 3box whats new * remove redundant code * move docs * remove unused code * token detection * use default timeout * remove redundant code * Update fixture builder hide `Protect your funds` dialog remove browser environment remove default network details hide dismiss seed backup reminder recursively merges fixture data * add token to tokencontroller * remove network details * add missing identities to preference controller * remove duplicate properties * update bip-32 to use fixturebuilder * alphabetise snap permissions * update get snaps to use fixturebuilder * Update test-snap-bip-32.spec.js wait for window * add popular network state * update test * lint
2022-10-28 10:42:12 +02:00
fixtures: new FixtureBuilder().build(),
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
ganacheOptions,
title: this.test.title,
testSpecificMock: mockPhishingDetection,
Use externally hosted phishing warning page An externally hosted phishing warning page is now used rather than the built-in phishing warning page.The phishing page warning URL is set via configuration file or environment variable. The default URL is either the expected production URL or `http://localhost:9999/` for e2e testing environments. The new external phishing page includes a design change when it is loaded within an iframe. In that case it now shows a condensed message, and prompts the user to open the full warning page in a new tab to see more details or bypass the warning. This is to prevent a clickjacking attack from safelisting a site without user consent. The new external phishing page also includes a simple caching service worker to ensure it continues to work offline (or if our hosting goes offline), as long as the user has successfully loaded the page at least once. We also load the page temporarily during the extension startup process to trigger the service worker installation. The old phishing page and all related lines have been removed. The property `web_accessible_resources` has also been removed from the manifest. The only entry apart from the phishing page was `inpage.js`, and we don't need that to be web accessible anymore because we inject the script inline into each page rather than loading the file directly. New e2e tests have been added to cover more phishing warning page functionality, including the "safelist" action and the "iframe" case.
2022-05-06 00:28:48 +02:00
dapp: true,
failOnConsoleError: false,
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
},
async ({ driver }) => {
await driver.navigate();
await driver.fill('#password', 'correct horse battery staple');
await driver.press('#password', driver.Key.ENTER);
Use externally hosted phishing warning page An externally hosted phishing warning page is now used rather than the built-in phishing warning page.The phishing page warning URL is set via configuration file or environment variable. The default URL is either the expected production URL or `http://localhost:9999/` for e2e testing environments. The new external phishing page includes a design change when it is loaded within an iframe. In that case it now shows a condensed message, and prompts the user to open the full warning page in a new tab to see more details or bypass the warning. This is to prevent a clickjacking attack from safelisting a site without user consent. The new external phishing page also includes a simple caching service worker to ensure it continues to work offline (or if our hosting goes offline), as long as the user has successfully loaded the page at least once. We also load the page temporarily during the extension startup process to trigger the service worker installation. The old phishing page and all related lines have been removed. The property `web_accessible_resources` has also been removed from the manifest. The only entry apart from the phishing page was `inpage.js`, and we don't need that to be web accessible anymore because we inject the script inline into each page rather than loading the file directly. New e2e tests have been added to cover more phishing warning page functionality, including the "safelist" action and the "iframe" case.
2022-05-06 00:28:48 +02:00
await driver.openNewPage('http://127.0.0.1:8080');
await driver.clickElement({
text: 'continuing at your own risk',
});
const header = await driver.findElement('h1');
assert.equal(await header.getText(), 'E2E Test Dapp');
},
);
});
it('should display the MetaMask Phishing Detection page in an iframe and take the user to the blocked page if they continue', async function () {
await withFixtures(
{
E2e test fixtures (#16061) * remove state.json files * move file * Update Readme * Create fixture builder * load test fixture * remove redundant method * update snap tests * update stats tests * update extension tests * update extension tests * Update fixture data * snap test dapp connection * Update fixture data * add onboarding fixture * use onboarding fixture * reuse import account vault * remove unnecessary use of class * use fixture builder in new tests * switch to function * update default fixture * update default fixture * update test * update 1559 test fixttures * update 1559 test fixtures * update 1559 test fixtures * dismiss 3box whats new * remove redundant code * move docs * remove unused code * token detection * use default timeout * remove redundant code * Update fixture builder hide `Protect your funds` dialog remove browser environment remove default network details hide dismiss seed backup reminder recursively merges fixture data * add token to tokencontroller * remove network details * add missing identities to preference controller * remove duplicate properties * update bip-32 to use fixturebuilder * alphabetise snap permissions * update get snaps to use fixturebuilder * Update test-snap-bip-32.spec.js wait for window * add popular network state * update test * lint
2022-10-28 10:42:12 +02:00
fixtures: new FixtureBuilder().build(),
Use externally hosted phishing warning page An externally hosted phishing warning page is now used rather than the built-in phishing warning page.The phishing page warning URL is set via configuration file or environment variable. The default URL is either the expected production URL or `http://localhost:9999/` for e2e testing environments. The new external phishing page includes a design change when it is loaded within an iframe. In that case it now shows a condensed message, and prompts the user to open the full warning page in a new tab to see more details or bypass the warning. This is to prevent a clickjacking attack from safelisting a site without user consent. The new external phishing page also includes a simple caching service worker to ensure it continues to work offline (or if our hosting goes offline), as long as the user has successfully loaded the page at least once. We also load the page temporarily during the extension startup process to trigger the service worker installation. The old phishing page and all related lines have been removed. The property `web_accessible_resources` has also been removed from the manifest. The only entry apart from the phishing page was `inpage.js`, and we don't need that to be web accessible anymore because we inject the script inline into each page rather than loading the file directly. New e2e tests have been added to cover more phishing warning page functionality, including the "safelist" action and the "iframe" case.
2022-05-06 00:28:48 +02:00
ganacheOptions,
title: this.test.title,
testSpecificMock: mockPhishingDetection,
dapp: true,
dappPaths: ['mock-page-with-iframe'],
dappOptions: {
numberOfDapps: 2,
},
failOnConsoleError: false,
},
async ({ driver }) => {
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
await driver.navigate();
Use externally hosted phishing warning page An externally hosted phishing warning page is now used rather than the built-in phishing warning page.The phishing page warning URL is set via configuration file or environment variable. The default URL is either the expected production URL or `http://localhost:9999/` for e2e testing environments. The new external phishing page includes a design change when it is loaded within an iframe. In that case it now shows a condensed message, and prompts the user to open the full warning page in a new tab to see more details or bypass the warning. This is to prevent a clickjacking attack from safelisting a site without user consent. The new external phishing page also includes a simple caching service worker to ensure it continues to work offline (or if our hosting goes offline), as long as the user has successfully loaded the page at least once. We also load the page temporarily during the extension startup process to trigger the service worker installation. The old phishing page and all related lines have been removed. The property `web_accessible_resources` has also been removed from the manifest. The only entry apart from the phishing page was `inpage.js`, and we don't need that to be web accessible anymore because we inject the script inline into each page rather than loading the file directly. New e2e tests have been added to cover more phishing warning page functionality, including the "safelist" action and the "iframe" case.
2022-05-06 00:28:48 +02:00
await driver.fill('#password', 'correct horse battery staple');
await driver.press('#password', driver.Key.ENTER);
await driver.openNewPage('http://localhost:8080/');
const iframe = await driver.findElement('iframe');
await driver.switchToFrame(iframe);
Fix e2e tests The e2e tests have been updated for `@metamask/phishing-warning@1.1.0`. The iframe case was updated with a new design, which required test changes. The third test that was meant to ensure the phishing page can't redirect to an extension page has been updated to navigate directly to the phishing warning page and setting the URL manually via query parameters, as that was the only way to test that redirect.
2022-05-16 22:55:48 +02:00
await driver.clickElement({
text: 'Open this warning in a new tab',
});
await driver.switchToWindowWithTitle('MetaMask Phishing Detection');
Use externally hosted phishing warning page An externally hosted phishing warning page is now used rather than the built-in phishing warning page.The phishing page warning URL is set via configuration file or environment variable. The default URL is either the expected production URL or `http://localhost:9999/` for e2e testing environments. The new external phishing page includes a design change when it is loaded within an iframe. In that case it now shows a condensed message, and prompts the user to open the full warning page in a new tab to see more details or bypass the warning. This is to prevent a clickjacking attack from safelisting a site without user consent. The new external phishing page also includes a simple caching service worker to ensure it continues to work offline (or if our hosting goes offline), as long as the user has successfully loaded the page at least once. We also load the page temporarily during the extension startup process to trigger the service worker installation. The old phishing page and all related lines have been removed. The property `web_accessible_resources` has also been removed from the manifest. The only entry apart from the phishing page was `inpage.js`, and we don't need that to be web accessible anymore because we inject the script inline into each page rather than loading the file directly. New e2e tests have been added to cover more phishing warning page functionality, including the "safelist" action and the "iframe" case.
2022-05-06 00:28:48 +02:00
await driver.clickElement({
text: 'continuing at your own risk',
});
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
const header = await driver.findElement('h1');
Use externally hosted phishing warning page An externally hosted phishing warning page is now used rather than the built-in phishing warning page.The phishing page warning URL is set via configuration file or environment variable. The default URL is either the expected production URL or `http://localhost:9999/` for e2e testing environments. The new external phishing page includes a design change when it is loaded within an iframe. In that case it now shows a condensed message, and prompts the user to open the full warning page in a new tab to see more details or bypass the warning. This is to prevent a clickjacking attack from safelisting a site without user consent. The new external phishing page also includes a simple caching service worker to ensure it continues to work offline (or if our hosting goes offline), as long as the user has successfully loaded the page at least once. We also load the page temporarily during the extension startup process to trigger the service worker installation. The old phishing page and all related lines have been removed. The property `web_accessible_resources` has also been removed from the manifest. The only entry apart from the phishing page was `inpage.js`, and we don't need that to be web accessible anymore because we inject the script inline into each page rather than loading the file directly. New e2e tests have been added to cover more phishing warning page functionality, including the "safelist" action and the "iframe" case.
2022-05-06 00:28:48 +02:00
assert.equal(await header.getText(), 'E2E Test Dapp');
},
);
});
it('should display the MetaMask Phishing Detection page in an iframe but should NOT take the user to the blocked page if it is not an accessible resource', async function () {
await withFixtures(
{
E2e test fixtures (#16061) * remove state.json files * move file * Update Readme * Create fixture builder * load test fixture * remove redundant method * update snap tests * update stats tests * update extension tests * update extension tests * Update fixture data * snap test dapp connection * Update fixture data * add onboarding fixture * use onboarding fixture * reuse import account vault * remove unnecessary use of class * use fixture builder in new tests * switch to function * update default fixture * update default fixture * update test * update 1559 test fixttures * update 1559 test fixtures * update 1559 test fixtures * dismiss 3box whats new * remove redundant code * move docs * remove unused code * token detection * use default timeout * remove redundant code * Update fixture builder hide `Protect your funds` dialog remove browser environment remove default network details hide dismiss seed backup reminder recursively merges fixture data * add token to tokencontroller * remove network details * add missing identities to preference controller * remove duplicate properties * update bip-32 to use fixturebuilder * alphabetise snap permissions * update get snaps to use fixturebuilder * Update test-snap-bip-32.spec.js wait for window * add popular network state * update test * lint
2022-10-28 10:42:12 +02:00
fixtures: new FixtureBuilder().build(),
Use externally hosted phishing warning page An externally hosted phishing warning page is now used rather than the built-in phishing warning page.The phishing page warning URL is set via configuration file or environment variable. The default URL is either the expected production URL or `http://localhost:9999/` for e2e testing environments. The new external phishing page includes a design change when it is loaded within an iframe. In that case it now shows a condensed message, and prompts the user to open the full warning page in a new tab to see more details or bypass the warning. This is to prevent a clickjacking attack from safelisting a site without user consent. The new external phishing page also includes a simple caching service worker to ensure it continues to work offline (or if our hosting goes offline), as long as the user has successfully loaded the page at least once. We also load the page temporarily during the extension startup process to trigger the service worker installation. The old phishing page and all related lines have been removed. The property `web_accessible_resources` has also been removed from the manifest. The only entry apart from the phishing page was `inpage.js`, and we don't need that to be web accessible anymore because we inject the script inline into each page rather than loading the file directly. New e2e tests have been added to cover more phishing warning page functionality, including the "safelist" action and the "iframe" case.
2022-05-06 00:28:48 +02:00
ganacheOptions,
title: this.test.title,
testSpecificMock: mockPhishingDetection,
dapp: true,
dappPaths: ['mock-page-with-disallowed-iframe'],
dappOptions: {
numberOfDapps: 2,
},
failOnConsoleError: false,
},
async ({ driver }) => {
await driver.navigate();
await driver.fill('#password', 'correct horse battery staple');
await driver.press('#password', driver.Key.ENTER);
await driver.openNewPage(
`http://localhost:8080?extensionUrl=${driver.extensionUrl}`,
);
const iframe = await driver.findElement('iframe');
await driver.switchToFrame(iframe);
Fix e2e tests The e2e tests have been updated for `@metamask/phishing-warning@1.1.0`. The iframe case was updated with a new design, which required test changes. The third test that was meant to ensure the phishing page can't redirect to an extension page has been updated to navigate directly to the phishing warning page and setting the URL manually via query parameters, as that was the only way to test that redirect.
2022-05-16 22:55:48 +02:00
await driver.clickElement({
text: 'Open this warning in a new tab',
});
await driver.switchToWindowWithTitle('MetaMask Phishing Detection');
await driver.clickElement({
text: 'continuing at your own risk',
});
// Ensure we're not on the wallet home page
await driver.assertElementNotPresent('[data-testid="wallet-balance"]');
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
},
);
});
Bump controllers v30.0.2 (#14906) * bump @metamask/controllers to v30.0.2 and adapt
2022-07-18 16:43:30 +02:00
it('should display the MetaMask Phishing Detection page with the correct new issue link if the issue was detected from the phishfort list', async function () {
await withFixtures(
{
E2e test fixtures (#16061) * remove state.json files * move file * Update Readme * Create fixture builder * load test fixture * remove redundant method * update snap tests * update stats tests * update extension tests * update extension tests * Update fixture data * snap test dapp connection * Update fixture data * add onboarding fixture * use onboarding fixture * reuse import account vault * remove unnecessary use of class * use fixture builder in new tests * switch to function * update default fixture * update default fixture * update test * update 1559 test fixttures * update 1559 test fixtures * update 1559 test fixtures * dismiss 3box whats new * remove redundant code * move docs * remove unused code * token detection * use default timeout * remove redundant code * Update fixture builder hide `Protect your funds` dialog remove browser environment remove default network details hide dismiss seed backup reminder recursively merges fixture data * add token to tokencontroller * remove network details * add missing identities to preference controller * remove duplicate properties * update bip-32 to use fixturebuilder * alphabetise snap permissions * update get snaps to use fixturebuilder * Update test-snap-bip-32.spec.js wait for window * add popular network state * update test * lint
2022-10-28 10:42:12 +02:00
fixtures: new FixtureBuilder().build(),
Bump controllers v30.0.2 (#14906) * bump @metamask/controllers to v30.0.2 and adapt
2022-07-18 16:43:30 +02:00
ganacheOptions,
title: this.test.title,
testSpecificMock: mockPhishfortPhishingDetection,
dapp: true,
failOnConsoleError: false,
},
async ({ driver }) => {
await driver.navigate();
await driver.fill('#password', 'correct horse battery staple');
await driver.press('#password', driver.Key.ENTER);
await driver.openNewPage('http://127.0.0.1:8080');
const newIssueLink = await driver.findElements(
"a[href='https://github.com/phishfort/phishfort-lists/issues/new?title=[Legitimate%20Site%20Blocked]%20127.0.0.1&body=http%3A%2F%2F127.0.0.1%3A8080%2F']",
);
assert.equal(newIssueLink.length, 1);
},
);
});
E2e phishing detection (#13704) * phishing detection test * remove unused arg
2022-02-22 17:48:12 +01:00
});
Copy Permalink