From d66ed78be8c4cdddb4e4f9c68da4a9c6975b39c6 Mon Sep 17 00:00:00 2001 From: Chid Gilovitz Date: Wed, 11 Dec 2024 15:33:54 +0800 Subject: [PATCH] Minor audit issues (#1741) * chore: clarify isSafeImageUrl tests * fix: use TALISMAN_WEB_APP_DOMAIN in paraverse protector instead of hard coded domain --- .../app/protector/ParaverseProtector.ts | 7 +++++-- .../ethereum/__tests__/ethereum.helpers.ts | 18 +++++++++--------- 2 files changed, 14 insertions(+), 11 deletions(-) diff --git a/packages/extension-core/src/domains/app/protector/ParaverseProtector.ts b/packages/extension-core/src/domains/app/protector/ParaverseProtector.ts index fe168c5828..ae618c41a8 100644 --- a/packages/extension-core/src/domains/app/protector/ParaverseProtector.ts +++ b/packages/extension-core/src/domains/app/protector/ParaverseProtector.ts @@ -2,7 +2,7 @@ import { checkHost } from "@polkadot/phishing" import { Dexie } from "dexie" import metamaskInitialData from "eth-phishing-detect/src/config.json" import MetamaskDetector from "eth-phishing-detect/src/detector" -import { log } from "extension-shared" +import { log, TALISMAN_WEB_APP_DOMAIN } from "extension-shared" import { decompressFromUTF16 } from "lz-string" import { sentry } from "../../../config/sentry" @@ -20,7 +20,10 @@ const COMMIT_PATH = "/commits/master" const REFRESH_INTERVAL_MIN = 20 -const DEFAULT_ALLOW = ["talisman.xyz", "app.talisman.xyz"] +const DEFAULT_ALLOW = [ + TALISMAN_WEB_APP_DOMAIN, // app.talisman.xyz + TALISMAN_WEB_APP_DOMAIN.split(".").slice(1).join("."), // talisman.xyz +] type HostList = { allow: string[]; deny: string[] } diff --git a/packages/extension-core/src/domains/ethereum/__tests__/ethereum.helpers.ts b/packages/extension-core/src/domains/ethereum/__tests__/ethereum.helpers.ts index 145859e746..50f9f974c6 100644 --- a/packages/extension-core/src/domains/ethereum/__tests__/ethereum.helpers.ts +++ b/packages/extension-core/src/domains/ethereum/__tests__/ethereum.helpers.ts @@ -92,14 +92,14 @@ describe("Test ethereum helpers", () => { }) test("isSafeImageUrl", () => { - expect(isSafeImageUrl("https://localhost/evilsvgfile_(1).svg")).toEqual(false) - expect(isSafeImageUrl("https://127.0.0.1/evilsvgfile_(1).svg")).toEqual(false) - expect(isSafeImageUrl("https://192.168.0.1/evilsvgfile_(1).svg")).toEqual(false) - expect(isSafeImageUrl("https://172.19.0.1/evilsvgfile_(1).svg")).toEqual(false) - expect(isSafeImageUrl("https://10.0.0.1/evilsvgfile_(1).svg")).toEqual(false) - expect(isSafeImageUrl("https://legit-domain:666/evilsvgfile_(1).svg")).toEqual(false) - expect(isSafeImageUrl("http://legit-domain/evilsvgfile_(1).svg")).toEqual(false) - expect(isSafeImageUrl("https://legit-domain/evilsvgfile_(1).js")).toEqual(false) - expect(isSafeImageUrl("https://legit-domain/chadsvgfile_(1).svg")).toEqual(true) + expect(isSafeImageUrl("https://localhost/anysvgfile_(1).svg")).toEqual(false) + expect(isSafeImageUrl("https://127.0.0.1/anysvgfile_(1).svg")).toEqual(false) + expect(isSafeImageUrl("https://192.168.0.1/anysvgfile_(1).svg")).toEqual(false) + expect(isSafeImageUrl("https://172.19.0.1/anysvgfile_(1).svg")).toEqual(false) + expect(isSafeImageUrl("https://10.0.0.1/anysvgfile_(1).svg")).toEqual(false) + expect(isSafeImageUrl("https://legit-domain:666/anysvgfile_(1).svg")).toEqual(false) + expect(isSafeImageUrl("http://legit-domain/anysvgfile_(1).svg")).toEqual(false) // uses http + expect(isSafeImageUrl("https://legit-domain/anysvgfile_(1).js")).toEqual(false) + expect(isSafeImageUrl("https://legit-domain/anysvgfile_(1).svg")).toEqual(true) }) })