[Bug]: PPOM - extension crashes with a error when performing Malicious permit with integer address #25733
Assignees
Labels
regression-RC-12.1.0
Sev2-normal
Normal severity; minor loss of service or inconvenience.
team-confirmations
Push issues to confirmations team
type-bug
Comments
|
To be cherry-picked into RC 12.1.0. |
7 tasks
This was referenced Jul 17, 2024
Closed
|
Blocked by #26287. |
7 tasks
benjisclowder
pushed a commit
that referenced
this issue
Aug 21, 2024
…etamask/transaction-controller` to `^35.1.1` (#26143) ## **Description** Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) ## **Related issues** - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 ## Changelog ### Added - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. ### Changed - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - **BREAKING:** Bump `@metamask/transaction-controller` from `^34.0.0` to `^35.1.1`. - **BREAKING:** Redefine `SecurityAlertsAPIRequest` as a `JsonRpcRequest` type that accepts `unknown[]` as its `params` type. - Widen the `request` parameters of the functions `validateWithController` and `validateWithAPI` to include `SecurityAlertsAPIRequest`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. ### Fixed - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. ### Security - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". ## **Manual testing steps** ## **Screenshots/Recordings** ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1){kind=link}
|
No longer treating this as release-blocker for v12.1, since it should be rare occurrence and mainly done by malicious actors. Fix will go out on v12.5. |
MajorLift
added a commit
that referenced
this issue
Aug 22, 2024
…etamask/transaction-controller` to `^35.1.1` (#26143) Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - **BREAKING:** Bump `@metamask/transaction-controller` from `^34.0.0` to `^35.1.1`. - **BREAKING:** Redefine `SecurityAlertsAPIRequest` as a `JsonRpcRequest` type that accepts `unknown[]` as its `params` type. - Widen the `request` parameters of the functions `validateWithController` and `validateWithAPI` to include `SecurityAlertsAPIRequest`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
MajorLift
pushed a commit
that referenced
this issue
Aug 22, 2024
) ## **Description** Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) ## **Related issues** - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 ## Changelog ### Added - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. ### Changed - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. ### Fixed - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which is constrained by `Record<string, unknown>` and defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. ### Security - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
MajorLift
pushed a commit
that referenced
this issue
Aug 22, 2024
) Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which is constrained by `Record<string, unknown>` and defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
MajorLift
pushed a commit
that referenced
this issue
Aug 22, 2024
) Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which is constrained by `Record<string, unknown>` and defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
MajorLift
pushed a commit
that referenced
this issue
Aug 22, 2024
) Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which is constrained by `Record<string, unknown>` and defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
MajorLift
pushed a commit
that referenced
this issue
Aug 22, 2024
) Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which is constrained by `Record<string, unknown>` and defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
MajorLift
pushed a commit
that referenced
this issue
Aug 23, 2024
) Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which is constrained by `Record<string, unknown>` and defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
MajorLift
pushed a commit
that referenced
this issue
Aug 23, 2024
) Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which is constrained by `Record<string, unknown>` and defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
MajorLift
pushed a commit
that referenced
this issue
Aug 23, 2024
) Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which is constrained by `Record<string, unknown>` and defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
MajorLift
added a commit
that referenced
this issue
Aug 30, 2024
) Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - This version bump comes with a large number of regressions, most of them type errors. - This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in `@metamask/utils`). [](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1) - Closes #26287 - Blocks: - MetaMask/MetaMask-planning#2991 - MetaMask/MetaMask-planning#2810 - #25733 - Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types that include the `securityAlertResponse` property. - `securityAlertResponse` is defined as both optional and nullable. - Add `PPOMRequest` type for `eth-sendTransaction` requests. - **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`. - Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`. - **BREAKING:** Narrow `Params` generic parameter of `createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to: string })[]`. - Add `Params` generic parameter to `handleSnapRequest` function, which is constrained by `Record<string, unknown>` and defaults to `JsonRpcParams`. - `handleSnapRequest` can now be typed correctly with any `params` object. - **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values. - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors. - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address. - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x". - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
Malicious permit with integer addressfromPPOM Malicious warning bypasses - Signaturessection breaks MetaMask with an errorExpected behavior
Deceptive requestwarning should be displayed.Screenshots/Recordings
Steps to reproduce
Malicious permit with integer addresswithin thePPOM Malicious warning bypasses - SignaturessectionError messages or log output
No response
Version
12.1.0
Build type
None
Browser
Chrome
Operating system
MacOS
Hardware wallet
No response
Additional context
No response
Severity
No response
The text was updated successfully, but these errors were encountered: