Merge pull request #18226 from MetaMask/Version-v10.26.2

Version v10.26.2 RC

.iyarc

@@ -15,3 +15,7 @@ GHSA-6fc8-4gx4-v693
 # patched version of 3.3.1. We can remove this once the
 # smart-transaction-controller updates its dependency.
 GHSA-8gh8-hqwg-xf34
+
+# request library is subject to SSRF.
+# addressed by temporary patch in .yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
+GHSA-p8p7-x288-28g6

.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch

@@ -0,0 +1,31 @@
+diff --git a/lib/redirect.js b/lib/redirect.js
+index b9150e77c73d63367845c0aec15b5684d900943f..2864f9f2abc481ecf2b2dd96b1293f5b93393efd 100644
+--- a/lib/redirect.js
++++ b/lib/redirect.js
+@@ -14,6 +14,7 @@ function Redirect (request) {
+   this.redirects = []
+   this.redirectsFollowed = 0
+   this.removeRefererHeader = false
++  this.allowInsecureRedirect = false
+ }
+ 
+ Redirect.prototype.onRequest = function (options) {
+@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {
+   if (options.followOriginalHttpMethod !== undefined) {
+     self.followOriginalHttpMethod = options.followOriginalHttpMethod
+   }
++  if (options.allowInsecureRedirect !== undefined) {
++    self.allowInsecureRedirect = options.allowInsecureRedirect
++  }
+ }
+ 
+ Redirect.prototype.redirectTo = function (response) {
+@@ -108,7 +112,7 @@ Redirect.prototype.onResponse = function (response) {
+   request.uri = url.parse(redirectTo)
+ 
+   // handle the case where we change protocol from https to http or vice versa
+-  if (request.uri.protocol !== uriPrev.protocol) {
++  if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) {
+     delete request.agent
+   }
+ 

CHANGELOG.md

@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [10.26.2]
+### Changed
+- Sign in with Ethereum: re-enable warning UI for mismatched domains / disable domain binding ([#18200](https://github.com/MetaMask/metamask-extension/pull/18200))
+
 ## [10.26.1]
 ### Fixed
 - Fix main build by modifying desktop build steps ([#18112](https://github.com/MetaMask/metamask-extension/pull/18112))
@@ -3532,7 +3536,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Uncategorized
 - Added the ability to restore accounts from seed words.
 
-[Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v10.26.1...HEAD
+[Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v10.26.2...HEAD
+[10.26.2]: https://github.com/MetaMask/metamask-extension/compare/v10.26.1...v10.26.2
 [10.26.1]: https://github.com/MetaMask/metamask-extension/compare/v10.26.0...v10.26.1
 [10.26.0]: https://github.com/MetaMask/metamask-extension/compare/v10.25.0...v10.26.0
 [10.25.0]: https://github.com/MetaMask/metamask-extension/compare/v10.24.2...v10.25.0

app/scripts/lib/personal-message-manager.js

@@ -153,15 +153,6 @@ export default class PersonalMessageManager extends EventEmitter {
     const siwe = detectSIWE(msgParams);
     msgParams.siwe = siwe;
 
-    if (siwe.isSIWEMessage && req.origin) {
-      const { host } = new URL(req.origin);
-      if (siwe.parsedMessage.domain !== host) {
-        throw new Error(
-          `SIWE domain is not valid: "${host}" !== "${siwe.parsedMessage.domain}"`,
-        );
-      }
-    }
-
     // create txData obj with parameters and meta data
     const time = new Date().getTime();
     const msgId = createId();

app/scripts/lib/personal-message-manager.test.js

@@ -178,15 +178,5 @@ describe('Personal Message Manager', () => {
       const result2 = messageManager.getMsg(msgId2);
       expect(result2.msgParams.siwe.isSIWEMessage).toStrictEqual(false);
     });
-
-    it("should throw an error if the SIWE message's domain doesn't match", async () => {
-      const request = { origin: 'https://mismatched-domain.com' };
-      const { host: siweDomain } = new URL(origin);
-      const { host: browserDomain } = new URL(request.origin);
-      const expectedError = `SIWE domain is not valid: "${browserDomain}" !== "${siweDomain}"`;
-      await expect(async () => {
-        await messageManager.addUnapprovedMessage(msgParams, request);
-      }).rejects.toThrow(expectedError);
-    });
   });
 });

package.json

@@ -1,6 +1,6 @@
 {
   "name": "metamask-crx",
-  "version": "10.26.1",
+  "version": "10.26.2",
   "private": true,
   "repository": {
     "type": "git",
@@ -206,7 +206,10 @@
     "lavamoat-core@^14.0.0": "patch:lavamoat-core@npm%3A14.0.0#./.yarn/patches/lavamoat-core-npm-14.0.0-0f5bdac846.patch",
     "lavamoat-core@^12.3.0": "patch:lavamoat-core@npm%3A12.4.0#./.yarn/patches/lavamoat-core-npm-12.4.0-cecca1a9b5.patch",
     "lavamoat-core@^12.4.0": "patch:lavamoat-core@npm%3A12.4.0#./.yarn/patches/lavamoat-core-npm-12.4.0-cecca1a9b5.patch",
-    "@lavamoat/snow@^1.4.1": "patch:@lavamoat/snow@npm%3A1.4.1#./.yarn/patches/@lavamoat-snow-npm-1.4.1-405a48e593.patch"
+    "@lavamoat/snow@^1.4.1": "patch:@lavamoat/snow@npm%3A1.4.1#./.yarn/patches/@lavamoat-snow-npm-1.4.1-405a48e593.patch",
+    "request@^2.83.0": "patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch",
+    "request@^2.88.2": "patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch",
+    "request@^2.85.0": "patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch"
   },
   "dependencies": {
     "@babel/runtime": "^7.5.5",

ui/components/app/signature-request-siwe/index.scss

@@ -21,18 +21,25 @@
     box-shadow: 0 0 7px 0 rgba(0, 0, 0, 0.08);
   }
 
+  /** @todo replace ActionableMessage or remove overwritten code. */
   .signature-request-siwe__actionable-message {
-    margin: 0 16px 16px;
+    margin: 0 16px;
+    flex-direction: row;
+    align-items: initial;
 
     .icon {
       position: absolute;
       left: 17px;
       top: 13px;
     }
-  }
 
-  .actionable-message--with-icon.actionable-message--with-right-button {
-    padding-left: 48px;
+    .actionable-message__message {
+      padding-left: 16px;
+    }
+
+    &.actionable-message--with-icon {
+      padding-left: 16px;
+    }
   }
 }
 

ui/components/app/signature-request-siwe/signature-request-siwe.js

@@ -120,7 +120,6 @@ export default function SignatureRequestSIWE({
           }
           iconFillColor="var(--color-error-default)"
           useIcon
-          withRightButton
           icon={<Icon name="danger" color={IconColor.errorDefault} />}
         />
       )}

yarn.lock

@@ -29774,7 +29774,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"request@npm:^2.83.0, request@npm:^2.85.0, request@npm:^2.88.2":
+"request@npm:2.88.2":
   version: 2.88.2
   resolution: "request@npm:2.88.2"
   dependencies:
@@ -29802,6 +29802,34 @@ __metadata:
   languageName: node
   linkType: hard
 
+"request@patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch::locator=metamask-crx%40workspace%3A.":
+  version: 2.88.2
+  resolution: "request@patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch::version=2.88.2&hash=2aadd7&locator=metamask-crx%40workspace%3A."
+  dependencies:
+    aws-sign2: ~0.7.0
+    aws4: ^1.8.0
+    caseless: ~0.12.0
+    combined-stream: ~1.0.6
+    extend: ~3.0.2
+    forever-agent: ~0.6.1
+    form-data: ~2.3.2
+    har-validator: ~5.1.3
+    http-signature: ~1.2.0
+    is-typedarray: ~1.0.0
+    isstream: ~0.1.2
+    json-stringify-safe: ~5.0.1
+    mime-types: ~2.1.19
+    oauth-sign: ~0.9.0
+    performance-now: ^2.1.0
+    qs: ~6.5.2
+    safe-buffer: ^5.1.2
+    tough-cookie: ~2.5.0
+    tunnel-agent: ^0.6.0
+    uuid: ^3.3.2
+  checksum: 1a64d706b36b2bdd5803c3a0fd3fee5e76e8c17d01c34f84972460fbfa5914302c300821a1fafce804d236e637f3745f3bdfbbb4219c139e112076790fc279af
+  languageName: node
+  linkType: hard
+
 "require-directory@npm:^2.1.1":
   version: 2.1.1
   resolution: "require-directory@npm:2.1.1"