From 4f36a3121c1667f042a63dac0cb0300772952643 Mon Sep 17 00:00:00 2001
From: Ariella Vu <20778143+digiwand@users.noreply.github.com>
Date: Fri, 17 Mar 2023 10:36:20 -0700
Subject: [PATCH 1/4] Sign in with Ethereum: re-enable warning UI for
mismatched domains / disable domain binding (#18200)
* siwe: re-enable warning UI for mismatched domains
- unblocks mismatched domain support
- we may re-add error handling here #18184
- reverts logic from #16616
* siwe: fix mismatch domain warning msg UI
* lint: rm whitespace EOL
* siwe: rm unit test
* lint: fix whitespace
* Revert "siwe: rm unit test"
This reverts commit c80a4a2e661609c46c76d1e43e05909b6db3f0f5.
---------
Co-authored-by: legobeat <109787230+legobeat@users.noreply.github.com>
---
app/scripts/lib/personal-message-manager.js | 9 ---------
app/scripts/lib/personal-message-manager.test.js | 10 ----------
.../app/signature-request-siwe/index.scss | 15 +++++++++++----
.../signature-request-siwe.js | 1 -
4 files changed, 11 insertions(+), 24 deletions(-)
diff --git a/app/scripts/lib/personal-message-manager.js b/app/scripts/lib/personal-message-manager.js
index 8440fa4ce..bb0a2b0c1 100644
--- a/app/scripts/lib/personal-message-manager.js
+++ b/app/scripts/lib/personal-message-manager.js
@@ -153,15 +153,6 @@ export default class PersonalMessageManager extends EventEmitter {
const siwe = detectSIWE(msgParams);
msgParams.siwe = siwe;
- if (siwe.isSIWEMessage && req.origin) {
- const { host } = new URL(req.origin);
- if (siwe.parsedMessage.domain !== host) {
- throw new Error(
- `SIWE domain is not valid: "${host}" !== "${siwe.parsedMessage.domain}"`,
- );
- }
- }
-
// create txData obj with parameters and meta data
const time = new Date().getTime();
const msgId = createId();
diff --git a/app/scripts/lib/personal-message-manager.test.js b/app/scripts/lib/personal-message-manager.test.js
index a4f8f4613..e565c0229 100644
--- a/app/scripts/lib/personal-message-manager.test.js
+++ b/app/scripts/lib/personal-message-manager.test.js
@@ -178,15 +178,5 @@ describe('Personal Message Manager', () => {
const result2 = messageManager.getMsg(msgId2);
expect(result2.msgParams.siwe.isSIWEMessage).toStrictEqual(false);
});
-
- it("should throw an error if the SIWE message's domain doesn't match", async () => {
- const request = { origin: 'https://mismatched-domain.com' };
- const { host: siweDomain } = new URL(origin);
- const { host: browserDomain } = new URL(request.origin);
- const expectedError = `SIWE domain is not valid: "${browserDomain}" !== "${siweDomain}"`;
- await expect(async () => {
- await messageManager.addUnapprovedMessage(msgParams, request);
- }).rejects.toThrow(expectedError);
- });
});
});
diff --git a/ui/components/app/signature-request-siwe/index.scss b/ui/components/app/signature-request-siwe/index.scss
index a6de5df10..2dedc438a 100644
--- a/ui/components/app/signature-request-siwe/index.scss
+++ b/ui/components/app/signature-request-siwe/index.scss
@@ -21,18 +21,25 @@
box-shadow: 0 0 7px 0 rgba(0, 0, 0, 0.08);
}
+ /** @todo replace ActionableMessage or remove overwritten code. */
.signature-request-siwe__actionable-message {
- margin: 0 16px 16px;
+ margin: 0 16px;
+ flex-direction: row;
+ align-items: initial;
.icon {
position: absolute;
left: 17px;
top: 13px;
}
- }
- .actionable-message--with-icon.actionable-message--with-right-button {
- padding-left: 48px;
+ .actionable-message__message {
+ padding-left: 16px;
+ }
+
+ &.actionable-message--with-icon {
+ padding-left: 16px;
+ }
}
}
diff --git a/ui/components/app/signature-request-siwe/signature-request-siwe.js b/ui/components/app/signature-request-siwe/signature-request-siwe.js
index b801be970..e7d7e178a 100644
--- a/ui/components/app/signature-request-siwe/signature-request-siwe.js
+++ b/ui/components/app/signature-request-siwe/signature-request-siwe.js
@@ -120,7 +120,6 @@ export default function SignatureRequestSIWE({
}
iconFillColor="var(--color-error-default)"
useIcon
- withRightButton
icon={}
/>
)}
From f730c6c8b4345a198c56c49c9aef1c13e6519c4f Mon Sep 17 00:00:00 2001
From: MetaMask Bot
Date: Fri, 17 Mar 2023 18:19:39 +0000
Subject: [PATCH 2/4] Version v10.26.2
---
CHANGELOG.md | 7 ++++++-
package.json | 2 +-
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2f30379c3..3caea2e39 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
+## [10.26.2]
+### Uncategorized
+- Sign in with Ethereum: re-enable warning UI for mismatched domains / disable domain binding ([#18200](https://github.com/MetaMask/metamask-extension/pull/18200))
+
## [10.26.1]
### Fixed
- Fix main build by modifying desktop build steps ([#18112](https://github.com/MetaMask/metamask-extension/pull/18112))
@@ -3532,7 +3536,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
### Uncategorized
- Added the ability to restore accounts from seed words.
-[Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v10.26.1...HEAD
+[Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v10.26.2...HEAD
+[10.26.2]: https://github.com/MetaMask/metamask-extension/compare/v10.26.1...v10.26.2
[10.26.1]: https://github.com/MetaMask/metamask-extension/compare/v10.26.0...v10.26.1
[10.26.0]: https://github.com/MetaMask/metamask-extension/compare/v10.25.0...v10.26.0
[10.25.0]: https://github.com/MetaMask/metamask-extension/compare/v10.24.2...v10.25.0
diff --git a/package.json b/package.json
index c0e532056..7b100c4a3 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
{
"name": "metamask-crx",
- "version": "10.26.1",
+ "version": "10.26.2",
"private": true,
"repository": {
"type": "git",
From dacdaf031cd1b35a45e03041e55709d6302de4be Mon Sep 17 00:00:00 2001
From: legobeat <109787230+legobeat@users.noreply.github.com>
Date: Fri, 17 Mar 2023 23:29:39 +0900
Subject: [PATCH 3/4] security: patch request for CVE-2023-28155 (#18208)
* security: patch request for CVE-2023-28155
GHSA-p8p7-x288-28g6
Ported from https://github.com/request/request/pull/3444
* add iyarc exclusion
---
.iyarc | 4 +++
.../request-npm-2.88.2-f4a57c72c4.patch | 31 +++++++++++++++++++
package.json | 5 ++-
yarn.lock | 30 +++++++++++++++++-
4 files changed, 68 insertions(+), 2 deletions(-)
create mode 100644 .yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
diff --git a/.iyarc b/.iyarc
index 3fa8de8b3..79536d383 100644
--- a/.iyarc
+++ b/.iyarc
@@ -15,3 +15,7 @@ GHSA-6fc8-4gx4-v693
# patched version of 3.3.1. We can remove this once the
# smart-transaction-controller updates its dependency.
GHSA-8gh8-hqwg-xf34
+
+# request library is subject to SSRF.
+# addressed by temporary patch in .yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
+GHSA-p8p7-x288-28g6
diff --git a/.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch b/.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
new file mode 100644
index 000000000..c879c340c
--- /dev/null
+++ b/.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
@@ -0,0 +1,31 @@
+diff --git a/lib/redirect.js b/lib/redirect.js
+index b9150e77c73d63367845c0aec15b5684d900943f..2864f9f2abc481ecf2b2dd96b1293f5b93393efd 100644
+--- a/lib/redirect.js
++++ b/lib/redirect.js
+@@ -14,6 +14,7 @@ function Redirect (request) {
+ this.redirects = []
+ this.redirectsFollowed = 0
+ this.removeRefererHeader = false
++ this.allowInsecureRedirect = false
+ }
+
+ Redirect.prototype.onRequest = function (options) {
+@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {
+ if (options.followOriginalHttpMethod !== undefined) {
+ self.followOriginalHttpMethod = options.followOriginalHttpMethod
+ }
++ if (options.allowInsecureRedirect !== undefined) {
++ self.allowInsecureRedirect = options.allowInsecureRedirect
++ }
+ }
+
+ Redirect.prototype.redirectTo = function (response) {
+@@ -108,7 +112,7 @@ Redirect.prototype.onResponse = function (response) {
+ request.uri = url.parse(redirectTo)
+
+ // handle the case where we change protocol from https to http or vice versa
+- if (request.uri.protocol !== uriPrev.protocol) {
++ if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) {
+ delete request.agent
+ }
+
diff --git a/package.json b/package.json
index 7b100c4a3..a29887794 100644
--- a/package.json
+++ b/package.json
@@ -206,7 +206,10 @@
"lavamoat-core@^14.0.0": "patch:lavamoat-core@npm%3A14.0.0#./.yarn/patches/lavamoat-core-npm-14.0.0-0f5bdac846.patch",
"lavamoat-core@^12.3.0": "patch:lavamoat-core@npm%3A12.4.0#./.yarn/patches/lavamoat-core-npm-12.4.0-cecca1a9b5.patch",
"lavamoat-core@^12.4.0": "patch:lavamoat-core@npm%3A12.4.0#./.yarn/patches/lavamoat-core-npm-12.4.0-cecca1a9b5.patch",
- "@lavamoat/snow@^1.4.1": "patch:@lavamoat/snow@npm%3A1.4.1#./.yarn/patches/@lavamoat-snow-npm-1.4.1-405a48e593.patch"
+ "@lavamoat/snow@^1.4.1": "patch:@lavamoat/snow@npm%3A1.4.1#./.yarn/patches/@lavamoat-snow-npm-1.4.1-405a48e593.patch",
+ "request@^2.83.0": "patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch",
+ "request@^2.88.2": "patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch",
+ "request@^2.85.0": "patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch"
},
"dependencies": {
"@babel/runtime": "^7.5.5",
diff --git a/yarn.lock b/yarn.lock
index 1e3838669..e023cfe05 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -29774,7 +29774,7 @@ __metadata:
languageName: node
linkType: hard
-"request@npm:^2.83.0, request@npm:^2.85.0, request@npm:^2.88.2":
+"request@npm:2.88.2":
version: 2.88.2
resolution: "request@npm:2.88.2"
dependencies:
@@ -29802,6 +29802,34 @@ __metadata:
languageName: node
linkType: hard
+"request@patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch::locator=metamask-crx%40workspace%3A.":
+ version: 2.88.2
+ resolution: "request@patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch::version=2.88.2&hash=2aadd7&locator=metamask-crx%40workspace%3A."
+ dependencies:
+ aws-sign2: ~0.7.0
+ aws4: ^1.8.0
+ caseless: ~0.12.0
+ combined-stream: ~1.0.6
+ extend: ~3.0.2
+ forever-agent: ~0.6.1
+ form-data: ~2.3.2
+ har-validator: ~5.1.3
+ http-signature: ~1.2.0
+ is-typedarray: ~1.0.0
+ isstream: ~0.1.2
+ json-stringify-safe: ~5.0.1
+ mime-types: ~2.1.19
+ oauth-sign: ~0.9.0
+ performance-now: ^2.1.0
+ qs: ~6.5.2
+ safe-buffer: ^5.1.2
+ tough-cookie: ~2.5.0
+ tunnel-agent: ^0.6.0
+ uuid: ^3.3.2
+ checksum: 1a64d706b36b2bdd5803c3a0fd3fee5e76e8c17d01c34f84972460fbfa5914302c300821a1fafce804d236e637f3745f3bdfbbb4219c139e112076790fc279af
+ languageName: node
+ linkType: hard
+
"require-directory@npm:^2.1.1":
version: 2.1.1
resolution: "require-directory@npm:2.1.1"
From ad9181c374d2602524da2b19a9e67f8251f901b9 Mon Sep 17 00:00:00 2001
From: Dan J Miller
Date: Fri, 17 Mar 2023 16:29:11 -0230
Subject: [PATCH 4/4] Update changelog
---
CHANGELOG.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3caea2e39..aca89dc0d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,7 +7,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
## [Unreleased]
## [10.26.2]
-### Uncategorized
+### Changed
- Sign in with Ethereum: re-enable warning UI for mismatched domains / disable domain binding ([#18200](https://github.com/MetaMask/metamask-extension/pull/18200))
## [10.26.1]