From 714de0f70f2a7ca10f373ca27751aba98690c53a Mon Sep 17 00:00:00 2001 From: Alex Risch Date: Wed, 27 Mar 2024 19:19:05 -0600 Subject: [PATCH 1/2] Update packages Updated packages Added state verification --- packages/frames-validator/package.json | 4 +- packages/frames-validator/src/validation.ts | 12 ++++- yarn.lock | 53 ++++++++++++--------- 3 files changed, 43 insertions(+), 26 deletions(-) diff --git a/packages/frames-validator/package.json b/packages/frames-validator/package.json index e9ade7f..2e43d44 100644 --- a/packages/frames-validator/package.json +++ b/packages/frames-validator/package.json @@ -43,9 +43,9 @@ "homepage": "https://github.com/xmtp/xmtp-node-js-tools#readme", "packageManager": "yarn@4.0.0", "devDependencies": { - "@open-frames/types": "^0.0.6", + "@open-frames/types": "^0.0.7", "@rollup/plugin-typescript": "^11.1.6", - "@xmtp/frames-client": "^0.2.2", + "@xmtp/frames-client": "^0.4.3", "@xmtp/xmtp-js": "^11.3.12", "ethers": "^6.10.0", "rollup": "^4.13.0", diff --git a/packages/frames-validator/src/validation.ts b/packages/frames-validator/src/validation.ts index 43ec4c9..aaa7b35 100644 --- a/packages/frames-validator/src/validation.ts +++ b/packages/frames-validator/src/validation.ts @@ -70,7 +70,13 @@ async function getVerifiedWalletAddress( } async function checkUntrustedData( - { url, buttonIndex, opaqueConversationIdentifier, timestamp }: UntrustedData, + { + url, + buttonIndex, + opaqueConversationIdentifier, + timestamp, + state, + }: UntrustedData, actionBody: frames.FrameActionBody, ) { if (actionBody.frameUrl !== url) { @@ -90,4 +96,8 @@ async function checkUntrustedData( if (actionBody.timestamp.toNumber() !== timestamp) { throw new Error("Mismatched timestamp") } + + if (actionBody.state !== state) { + throw new Error("Mismatched state") + } } diff --git a/yarn.lock b/yarn.lock index 8f0153f..e19a0a2 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1988,10 +1988,28 @@ __metadata: languageName: node linkType: hard -"@open-frames/types@npm:^0.0.6": - version: 0.0.6 - resolution: "@open-frames/types@npm:0.0.6" - checksum: 4a4b6d7850c9322dbf8a7df9a7dfddab5096cb1624161f011586c6cd302e3ee789b7e6f0430254249e50dc7e71fbe635a4a76cc053eba114dfd8983879ffbd19 +"@open-frames/proxy-client@npm:^0.2.0": + version: 0.2.1 + resolution: "@open-frames/proxy-client@npm:0.2.1" + dependencies: + "@open-frames/proxy-types": "npm:0.1.1" + checksum: ea6cdfa9d768aee30c1be69ae88a2ce6cf9da042c9ab74fb02346519520095aef4b1d388ea9f886fb4db48379c3b5573a223d3600e5cbb6b021ae4d2d339b4d3 + languageName: node + linkType: hard + +"@open-frames/proxy-types@npm:0.1.1": + version: 0.1.1 + resolution: "@open-frames/proxy-types@npm:0.1.1" + peerDependencies: + typescript: ^5.3.3 + checksum: ed7ad6d0bb7ac4d872ec4e6c39ddedb24c0a4e29da8a52fcf354f2b0c1778f18e61977b51ee8e62795b95de96ecef27db14a2b79a16e5eefc0dff9d020b7b35b + languageName: node + linkType: hard + +"@open-frames/types@npm:^0.0.7": + version: 0.0.7 + resolution: "@open-frames/types@npm:0.0.7" + checksum: da01d5e43d7e0023015d6df104163d4efe1a89b6280d54a0846a1113df6243c8531df2dd378b20e4a827e8d77db4459cd73b2ce7bcc05a799e9b989fd13d62cf languageName: node linkType: hard @@ -3177,16 +3195,17 @@ __metadata: languageName: unknown linkType: soft -"@xmtp/frames-client@npm:^0.2.2": - version: 0.2.2 - resolution: "@xmtp/frames-client@npm:0.2.2" +"@xmtp/frames-client@npm:^0.4.3": + version: 0.4.3 + resolution: "@xmtp/frames-client@npm:0.4.3" dependencies: "@noble/hashes": "npm:^1.3.3" - "@xmtp/proto": "npm:3.41.0-beta.5" + "@open-frames/proxy-client": "npm:^0.2.0" + "@xmtp/proto": "npm:3.45.0" long: "npm:^5.2.3" peerDependencies: "@xmtp/xmtp-js": ">9.3.1" - checksum: c3c2568e36ccd9cc9b0200b74d3058d9a9803f4dcc5981fcf7fa79b1bbc73bd22b6c16074d55e34e50cd7893c01f72da04ce5797f21b42543aceb9245bae1027 + checksum: 51563fc224a1301b47abf83101fc3bd354baef12cc05bad9145e2133788ff4e22ffe6686bbc6448614295b0cfde091089bf37b983ea5bf0302aa3ed3f3b8553e languageName: node linkType: hard @@ -3196,9 +3215,9 @@ __metadata: dependencies: "@noble/curves": "npm:^1.3.0" "@noble/hashes": "npm:^1.4.0" - "@open-frames/types": "npm:^0.0.6" + "@open-frames/types": "npm:^0.0.7" "@rollup/plugin-typescript": "npm:^11.1.6" - "@xmtp/frames-client": "npm:^0.2.2" + "@xmtp/frames-client": "npm:^0.4.3" "@xmtp/proto": "npm:3.45.0" "@xmtp/xmtp-js": "npm:^11.3.12" ethers: "npm:^6.10.0" @@ -3233,18 +3252,6 @@ __metadata: languageName: unknown linkType: soft -"@xmtp/proto@npm:3.41.0-beta.5": - version: 3.41.0-beta.5 - resolution: "@xmtp/proto@npm:3.41.0-beta.5" - dependencies: - long: "npm:^5.2.0" - protobufjs: "npm:^7.0.0" - rxjs: "npm:^7.8.0" - undici: "npm:^5.8.1" - checksum: 03e9a5d127c5f2af34d80c0b5406fcb862c04dd203142f1d225b11964f9952e811ab97e313a60d8d47c9048b29a7d2196a0c2e8c21d787425543a9e6a9b04e9f - languageName: node - linkType: hard - "@xmtp/proto@npm:3.45.0, @xmtp/proto@npm:^3.45.0": version: 3.45.0 resolution: "@xmtp/proto@npm:3.45.0" From 6dc618c791a6fd9d2b56084dd22a3199af249573 Mon Sep 17 00:00:00 2001 From: Alex Risch Date: Thu, 28 Mar 2024 11:13:07 -0600 Subject: [PATCH 2/2] feat: Check untrusted data Checks for state and inputText --- packages/frames-validator/src/validation.ts | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/packages/frames-validator/src/validation.ts b/packages/frames-validator/src/validation.ts index aaa7b35..f8668bf 100644 --- a/packages/frames-validator/src/validation.ts +++ b/packages/frames-validator/src/validation.ts @@ -75,7 +75,8 @@ async function checkUntrustedData( buttonIndex, opaqueConversationIdentifier, timestamp, - state, + state = "", + inputText = "", }: UntrustedData, actionBody: frames.FrameActionBody, ) { @@ -100,4 +101,8 @@ async function checkUntrustedData( if (actionBody.state !== state) { throw new Error("Mismatched state") } + + if (actionBody.inputText !== inputText) { + throw new Error("Missing input text") + } }