mirror of
https://github.com/kremalicious/metamask-extension.git
synced 2024-11-25 20:02:58 +01:00
cef95f8733
We currently store the JSON-RPC request and response objects in the permission activity log. The utility of doing this was always rather dubious, but never problematic. Until now. In Flask, as the restricted methods have expanded in number, user secrets may be included on JSON-RPC message objects. This PR removes these properties from the permission activity log, and adds a migration which does the same to existing log objects. We don't interact with the log objects anywhere in our codebase, but we don't want unexpected properties to cause errors in the future should any log objects be retained. This PR also updates relevant tests and test data. It makes a minor functional change to how a request is designated as a success or failure, but this should not change any behavior in practice.
41 lines
1015 B
JavaScript
41 lines
1015 B
JavaScript
import { cloneDeep } from 'lodash';
|
|
|
|
const version = 70;
|
|
|
|
/**
|
|
* Removes the `request` and `response` properties from
|
|
* `PermissionLogController.permissionActivityLog` objects.
|
|
*/
|
|
export default {
|
|
version,
|
|
async migrate(originalVersionedData) {
|
|
const versionedData = cloneDeep(originalVersionedData);
|
|
versionedData.meta.version = version;
|
|
const state = versionedData.data;
|
|
const newState = transformState(state);
|
|
versionedData.data = newState;
|
|
return versionedData;
|
|
},
|
|
};
|
|
|
|
function transformState(state) {
|
|
if (Array.isArray(state?.PermissionLogController?.permissionActivityLog)) {
|
|
const {
|
|
PermissionLogController: { permissionActivityLog },
|
|
} = state;
|
|
|
|
// mutate activity log entries in place
|
|
permissionActivityLog.forEach((logEntry) => {
|
|
if (
|
|
logEntry &&
|
|
typeof logEntry === 'object' &&
|
|
!Array.isArray(logEntry)
|
|
) {
|
|
delete logEntry.request;
|
|
delete logEntry.response;
|
|
}
|
|
});
|
|
}
|
|
return state;
|
|
}
|