mirror of
https://github.com/kremalicious/metamask-extension.git
synced 2024-12-12 12:47:14 +01:00
31d5c1cf22
* Version v10.18.4 * Fix default currency symbol for `wallet_addEthereumChain` + improve warnings for data that doesn't match our validation expectations (#15201) * set more appropriate default for ticker symbol when wallet_addEthereumChain is called * throw error to dapp when site suggests network with same chainId but different ticker symbol from already added network, instead of showing error and disabled notification to user * Fix Provider Tracking Metrics (#15082) * fix filetype audit (#15334) * Remove decentralized 4byte function signature registry since it contains incorrect signatures and we can't algorithmically check for best option when 4byte.directory is down (#15300) * remove decentralized 4byte function signature registry since it is griefed and we can't algorithmically check for best option when 4byte is down * add migration * remove nock of on chain registry call in getMethodDataAsync test * remove audit exclusion (#15346) * Updates `eth-lattice-keyring` to v0.10.0 (#15261) This is mainly associated with an update in GridPlus SDK and enables better strategies for fetching calldata decoder data. `eth-lattice-keyring` changes: GridPlus/eth-lattice-keyring@v0.7.3...v0.10.0 `gridplus-sdk` changes (which includes a codebase rewrite): GridPlus/gridplus-sdk@v1.2.3...v2.2.2 * Fix 'block link explorer on custom networks' (#13870) * Created a logic for the 'Add a block explorer URL' Removed unused message Message logic rollback Modified history push operation WIP: Pushing before rebasing Applied requested changes Removed unintenionally added code * Lint fix * Metrics fixed * Stop injecting provider on docs.google.com (#15459) * Fix setting of gasPrice when on non-eip 1559 networks (#15628) * Fix setting of gasPrice when on non-eip 1559 networks * Fix unit tests * Fix logic * Update ui/ducks/send/send.test.js Co-authored-by: Mark Stacey <markjstacey@gmail.com> Co-authored-by: Mark Stacey <markjstacey@gmail.com> * [GridPlus] Bumps `eth-lattice-keyring` to v0.11.0 (#15490) * [GridPlus] Bumps `gridplus-sdk` to v2.2.4 (#15561) * remove exclusions for mismatched object jsdoc type casing (#15351) * Improve `tokenId` parsing and clean up `useAssetDetails` hook (#15304) * Fix state creation in setupSentryGetStateGlobal (#15635) * filter breadcrumbs for improved clarity while debugging sentry errors (#15639) * Update v10.18.4 changelog (#15645) * Auto generated changelog * Update 10.18.4 changelog * Run lavamoat:auto * Call metrics event for wallet type selection at the right time (#15591) * Fix Sentry in LavaMoat contexts (#15672) Our Sentry setup relies upon application state, but it wasn't able to access it in LavaMoat builds because it's running in a separate Compartment. A patch has been introduced to the LavaMoat runtime to allow the root Compartment to mutate the `rootGlobals` object, which is accessible from outside the compartment as well. This lets us expose application state to our Sentry integration. * Fix Sentry deduplication of events that were never sent (#15677) The Sentry `Dedupe` integration has been filtering out our events, even when they were never sent due to our `beforeSend` handler. It was wrongly identifying them as duplicates because it has no knowledge of `beforeSend` or whether they were actually sent or not. To resolve this, the filtering we were doing in `beforeSend` has been moved to a Sentry integration. This integration is installed ahead of the `Dedupe` integration, so `Dedupe` should never find out about any events that we filter out, and thus will never consider them as sent when they were not. * Replace `lavamoat-runtime.js` patch (#15682) A patch made in #15672 was found to be unnecessary. Instead of setting a `rootGlobals` object upon construction of the root compartment, we are now creating a `sentryHooks` object in the initial top-level compartment. I hadn't realized at the time that the root compartment would inherit all properties of the initial compartment `globalThis`. This accomplishes the same goals as #15672 except without needing a patch. * Update v10.18.4 changelog * Fix lint issues * Update yarn.lock * Update `depcheck` to latest version (#15690) `depcheck` has been updated to the latest version. This version pins `@babel/parser` to v7.16.4 because of unresolved bugs in v7.16.5 that result in `depcheck` failing to parse TypeScript files correctly. We had a Yarn resolution in place to ensure `@babel/parser@7.16.4` was being used already. That resolution is no longer needed so it has been removed. This should resove the issue the dev team has been seeing lately where `yarn` and `yarn-deduplicate` disagree about the state the lockfile should be in. * Update yarn.lock * Update LavaMoat policy * deduplicate * Update LavaMoat build policy Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com> Co-authored-by: Alex Donesky <adonesky@gmail.com> Co-authored-by: Brad Decker <bhdecker84@gmail.com> Co-authored-by: Alex Miller <asmiller1989@gmail.com> Co-authored-by: Filip Sekulic <filip.sekulic@consensys.net> Co-authored-by: Erik Marks <25517051+rekmarks@users.noreply.github.com> Co-authored-by: Dan J Miller <danjm.com@gmail.com> Co-authored-by: Mark Stacey <markjstacey@gmail.com> Co-authored-by: seaona <54408225+seaona@users.noreply.github.com> Co-authored-by: seaona <mariona@gmx.es> Co-authored-by: PeterYinusa <peter.yinusa@consensys.net>
92 lines
3.4 KiB
JavaScript
92 lines
3.4 KiB
JavaScript
// Make all "object" and "function" own properties of globalThis
|
|
// non-configurable and non-writable, when possible.
|
|
// We call a property that is non-configurable and non-writable,
|
|
// "non-modifiable".
|
|
try {
|
|
/**
|
|
* `lockdown` only hardens the properties enumerated by the
|
|
* universalPropertyNames constant specified in 'ses/src/whitelist'. This
|
|
* function makes all function and object properties on the start compartment
|
|
* global non-configurable and non-writable, unless they are already
|
|
* non-configurable.
|
|
*
|
|
* It is critical that this function runs at the right time during
|
|
* initialization, which should always be immediately after `lockdown` has been
|
|
* called. At the time of writing, the modifications this function makes to the
|
|
* runtime environment appear to be non-breaking, but that could change with
|
|
* the addition of dependencies, or the order of our scripts in our HTML files.
|
|
* Exercise caution.
|
|
*
|
|
* See inline comments for implementation details.
|
|
*
|
|
* We write this function in IIFE format to avoid polluting global scope.
|
|
*/
|
|
(function protectIntrinsics() {
|
|
const namedIntrinsics = Reflect.ownKeys(new Compartment().globalThis);
|
|
|
|
// These named intrinsics are not automatically hardened by `lockdown`
|
|
const shouldHardenManually = new Set(['eval', 'Function']);
|
|
|
|
const globalProperties = new Set([
|
|
// universalPropertyNames is a constant added by lockdown to global scope
|
|
// at the time of writing, it is initialized in 'ses/src/whitelist'.
|
|
// These properties tend to be non-enumerable.
|
|
...namedIntrinsics,
|
|
|
|
// TODO: Also include the named platform globals
|
|
// This grabs every enumerable property on globalThis.
|
|
// ...Object.keys(globalThis),
|
|
]);
|
|
|
|
globalProperties.forEach((propertyName) => {
|
|
const descriptor = Reflect.getOwnPropertyDescriptor(
|
|
globalThis,
|
|
propertyName,
|
|
);
|
|
|
|
if (descriptor) {
|
|
if (descriptor.configurable) {
|
|
// If the property on globalThis is configurable, make it
|
|
// non-configurable. If it has no accessor properties, also make it
|
|
// non-writable.
|
|
if (hasAccessor(descriptor)) {
|
|
Object.defineProperty(globalThis, propertyName, {
|
|
configurable: false,
|
|
});
|
|
} else {
|
|
Object.defineProperty(globalThis, propertyName, {
|
|
configurable: false,
|
|
writable: false,
|
|
});
|
|
}
|
|
}
|
|
|
|
if (shouldHardenManually.has(propertyName)) {
|
|
harden(globalThis[propertyName]);
|
|
}
|
|
}
|
|
});
|
|
|
|
/**
|
|
* Checks whether the given propertyName descriptor has any accessors, i.e. the
|
|
* properties `get` or `set`.
|
|
*
|
|
* We want to make globals non-writable, and we can't set the `writable`
|
|
* property and accessor properties at the same time.
|
|
*
|
|
* @param {object} descriptor - The propertyName descriptor to check.
|
|
* @returns {boolean} Whether the propertyName descriptor has any accessors.
|
|
*/
|
|
function hasAccessor(descriptor) {
|
|
return 'set' in descriptor || 'get' in descriptor;
|
|
}
|
|
})();
|
|
} catch (error) {
|
|
console.error('Protecting intrinsics failed:', error);
|
|
if (globalThis.sentry && globalThis.sentry.captureException) {
|
|
globalThis.sentry.captureException(
|
|
new Error(`Protecting intrinsics failed: ${error.message}`),
|
|
);
|
|
}
|
|
}
|