Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Sanitize signTypedDatav3v4 params before calling security API #12789

Merged
merged 1 commit into from
Dec 20, 2024
Merged

fix: Sanitize signTypedDatav3v4 params before calling security API #12789

merged 1 commit into from
Dec 20, 2024
+65 −4

Conversation

OGPoyraz
Copy link
Member

Description

This PR aims to filter request params before calling security API call if method is signTypedDatav3v4

Related issues

Fixes: https://github.com/MetaMask/MetaMask-planning/issues/3830

Manual testing steps

  1. Use following payload in the local test-dapp sign typed data v3/v4
// Request the current account addresses from the Ethereum provider
const addresses = await window.ethereum.request({ "method": "eth_accounts" });

// Construct the JSON string for eth_signTypedData_v4, including the dynamic owner address
const jsonData = {
  domain: {
    name: "USD Coin",
    version: "2",
    chainId: "1",
    verifyingContract: "0xa0b86991c6218b36c1d19d4a2e9eb0ce3606eb48"
  },
  types: {
    EIP712Domain: [
      { name: "name", type: "string" },
      { name: "version", type: "string" },
      { name: "chainId", type: "uint256" },
      { name: "verifyingContract", type: "address" }
    ],
    Permit: [
      { name: "owner", type: "address" },
      { name: "spender", type: "address" },
      { name: "value", type: "uint256" },
      { name: "nonce", type: "uint256" },
      { name: "deadline", type: "uint256" }
    ]
  },
  primaryType: "Permit",
  message: {
    owner: addresses[0],
    spender: "0xa2d86c5ff6fbf5f455b1ba2737938776c24d7a58",
    value: "115792089237316195423570985008687907853269984665640564039457584007913129639935",
    nonce: "0",
    deadline: "115792089237316195423570985008687907853269984665640564039457584007913129639935"
  }
};
  1. Notice that the transaction is considered as malicious (which was not flagged before)

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@OGPoyraz OGPoyraz added the No QA Needed Apply this label when your PR does not need any QA effort. label Dec 19, 2024
@OGPoyraz OGPoyraz requested a review from a team as a code owner December 19, 2024 11:30
@OGPoyraz OGPoyraz changed the title Sanitize signTypedDatav3v4 params before calling security API fix: Sanitize signTypedDatav3v4 params before calling security API Dec 19, 2024
@metamaskbot metamaskbot added the team-confirmations Push issues to confirmations team label Dec 19, 2024
@sonarqubecloud SonarQubeCloud
Copy link

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
93.3% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@OGPoyraz OGPoyraz added this pull request to the merge queue Dec 20, 2024
Merged via the queue into main with commit e9c1617 Dec 20, 2024
46 of 47 checks passed
@OGPoyraz OGPoyraz deleted the 3830-signed-type-v4-object-overflow-bypass branch December 20, 2024 07:44
@github-actions github-actions bot locked and limited conversation to collaborators Dec 20, 2024
@metamaskbot metamaskbot added the release-7.39.0 Issue or pull request that will be included in release 7.39.0 label Dec 20, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@digiwand digiwand digiwand approved these changes

@jpuri jpuri jpuri approved these changes

Assignees
No one assigned
Labels
No QA Needed Apply this label when your PR does not need any QA effort. release-7.39.0 Issue or pull request that will be included in release 7.39.0 team-confirmations Push issues to confirmations team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@OGPoyraz @jpuri @digiwand @metamaskbot