Skip to content

Commit

Permalink
Minor audit issues (#1741)
Browse files Browse the repository at this point in the history
* chore: clarify isSafeImageUrl tests

* fix: use TALISMAN_WEB_APP_DOMAIN in paraverse protector instead of hard coded domain
  • Loading branch information
chidg authored Dec 11, 2024
1 parent 4c49a13 commit d66ed78
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 11 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import { checkHost } from "@polkadot/phishing"
import { Dexie } from "dexie"
import metamaskInitialData from "eth-phishing-detect/src/config.json"
import MetamaskDetector from "eth-phishing-detect/src/detector"
import { log } from "extension-shared"
import { log, TALISMAN_WEB_APP_DOMAIN } from "extension-shared"
import { decompressFromUTF16 } from "lz-string"

import { sentry } from "../../../config/sentry"
Expand All @@ -20,7 +20,10 @@ const COMMIT_PATH = "/commits/master"

const REFRESH_INTERVAL_MIN = 20

const DEFAULT_ALLOW = ["talisman.xyz", "app.talisman.xyz"]
const DEFAULT_ALLOW = [
TALISMAN_WEB_APP_DOMAIN, // app.talisman.xyz
TALISMAN_WEB_APP_DOMAIN.split(".").slice(1).join("."), // talisman.xyz
]

type HostList = { allow: string[]; deny: string[] }

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -92,14 +92,14 @@ describe("Test ethereum helpers", () => {
})

test("isSafeImageUrl", () => {
expect(isSafeImageUrl("https://localhost/evilsvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://127.0.0.1/evilsvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://192.168.0.1/evilsvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://172.19.0.1/evilsvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://10.0.0.1/evilsvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://legit-domain:666/evilsvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("http://legit-domain/evilsvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://legit-domain/evilsvgfile_(1).js")).toEqual(false)
expect(isSafeImageUrl("https://legit-domain/chadsvgfile_(1).svg")).toEqual(true)
expect(isSafeImageUrl("https://localhost/anysvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://127.0.0.1/anysvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://192.168.0.1/anysvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://172.19.0.1/anysvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://10.0.0.1/anysvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("https://legit-domain:666/anysvgfile_(1).svg")).toEqual(false)
expect(isSafeImageUrl("http://legit-domain/anysvgfile_(1).svg")).toEqual(false) // uses http
expect(isSafeImageUrl("https://legit-domain/anysvgfile_(1).js")).toEqual(false)
expect(isSafeImageUrl("https://legit-domain/anysvgfile_(1).svg")).toEqual(true)
})
})

0 comments on commit d66ed78

Please sign in to comment.