From 695d0db025fff9d9b29d6ca2c03c42bfd58cf57e Mon Sep 17 00:00:00 2001
From: AugmentedMode <31675118+AugmentedMode@users.noreply.github.com>
Date: Fri, 20 Dec 2024 12:15:55 -0500
Subject: [PATCH 1/2] fix: Add main frame URL property to req object whenever
req is triggered from an iframe (#29337)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
## **Description**
See the attached issue in metamask planning for more details.
[](https://codespaces.new/MetaMask/metamask-extension/pull/29337?quickstart=1)
## **Related issues**
Fixes:
## **Manual testing steps**
1. Go to `https://develop.d3bkcslj57l47p.amplifyapp.com/`
2. Click on Proceed anyways (This phishing warning page here is
expected)
3. Open the network tab to monitor network requests
4. Connect your wallet and click on a signature or transaction
5. Verify that mainFrameOrigin is included in the payload of the network
request to the security alerts API
## **Screenshots/Recordings**
Below are screenshots demonstrating the behavior of a test HTML page I
created:
1. In the first screenshot, before the iframe is loaded, the console
shows only the origin of the main frame.
2. In the second screenshot, after clicking the button to load an iframe
pointing to example.com, the solution correctly identifies both the
mainFrameOrigin (main frame) and the origin (iframe).
### **Before**
### **After**
## **Pre-merge author checklist**
- [ ] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I’ve included tests if applicable
- [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.
## **Pre-merge reviewer checklist**
- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
---
.../lib/createMainFrameOriginMiddleware.ts | 24 +++++++++++++++++++
app/scripts/metamask-controller.js | 22 ++++++++++++++++-
2 files changed, 45 insertions(+), 1 deletion(-)
create mode 100644 app/scripts/lib/createMainFrameOriginMiddleware.ts
diff --git a/app/scripts/lib/createMainFrameOriginMiddleware.ts b/app/scripts/lib/createMainFrameOriginMiddleware.ts
new file mode 100644
index 000000000000..bcbc2cb7d6fd
--- /dev/null
+++ b/app/scripts/lib/createMainFrameOriginMiddleware.ts
@@ -0,0 +1,24 @@
+// Request and responses are currently untyped.
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+/**
+ * Returns a middleware that appends the mainFrameOrigin to request
+ *
+ * @param {{ mainFrameOrigin: string }} opts - The middleware options
+ * @returns {Function}
+ */
+
+export default function createMainFrameOriginMiddleware({
+ mainFrameOrigin,
+}: {
+ mainFrameOrigin: string;
+}) {
+ return function mainFrameOriginMiddleware(
+ req: any,
+ _res: any,
+ next: () => void,
+ ) {
+ req.mainFrameOrigin = mainFrameOrigin;
+ next();
+ };
+}
diff --git a/app/scripts/metamask-controller.js b/app/scripts/metamask-controller.js
index 933522c449f6..62fe3c942589 100644
--- a/app/scripts/metamask-controller.js
+++ b/app/scripts/metamask-controller.js
@@ -305,6 +305,7 @@ import {
createUnsupportedMethodMiddleware,
} from './lib/rpc-method-middleware';
import createOriginMiddleware from './lib/createOriginMiddleware';
+import createMainFrameOriginMiddleware from './lib/createMainFrameOriginMiddleware';
import createTabIdMiddleware from './lib/createTabIdMiddleware';
import { NetworkOrderController } from './controllers/network-order';
import { AccountOrderController } from './controllers/account-order';
@@ -5804,11 +5805,18 @@ export default class MetamaskController extends EventEmitter {
tabId = sender.tab.id;
}
+ let mainFrameOrigin = origin;
+ if (sender.tab && sender.tab.url) {
+ // If sender origin is an iframe, then get the top-level frame's origin
+ mainFrameOrigin = new URL(sender.tab.url).origin;
+ }
+
const engine = this.setupProviderEngineEip1193({
origin,
sender,
subjectType,
tabId,
+ mainFrameOrigin,
});
const dupeReqFilterStream = createDupeReqFilterStream();
@@ -5929,13 +5937,25 @@ export default class MetamaskController extends EventEmitter {
* @param {MessageSender | SnapSender} options.sender - The sender object.
* @param {string} options.subjectType - The type of the sender subject.
* @param {tabId} [options.tabId] - The tab ID of the sender - if the sender is within a tab
+ * @param {mainFrameOrigin} [options.mainFrameOrigin] - The origin of the main frame if the sender is an iframe
*/
- setupProviderEngineEip1193({ origin, subjectType, sender, tabId }) {
+ setupProviderEngineEip1193({
+ origin,
+ subjectType,
+ sender,
+ tabId,
+ mainFrameOrigin,
+ }) {
const engine = new JsonRpcEngine();
// Append origin to each request
engine.push(createOriginMiddleware({ origin }));
+ // Append mainFrameOrigin to each request if present
+ if (mainFrameOrigin) {
+ engine.push(createMainFrameOriginMiddleware({ mainFrameOrigin }));
+ }
+
// Append selectedNetworkClientId to each request
engine.push(createSelectedNetworkMiddleware(this.controllerMessenger));
From 547b264a3993aa4d40caad5d2993df2a1c7ca32e Mon Sep 17 00:00:00 2001
From: Pedro Figueiredo
Date: Fri, 20 Dec 2024 17:46:37 +0000
Subject: [PATCH 2/2] chore: Update to the latest transaction controller
(#29395)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
## **Description**
Updates from v42 to v42.1 in order to get the validation of the gas
limit hexadecimal string properties. See
https://github.com/MetaMask/core/pull/5093 for more details.
[](https://codespaces.new/MetaMask/metamask-extension/pull/29395?quickstart=1)
## **Related issues**
Fixes: https://github.com/MetaMask/MetaMask-planning/issues/3826
## **Manual testing steps**
1. Go to this page...
2.
3.
## **Screenshots/Recordings**
### **Before**
### **After**
## **Pre-merge author checklist**
- [ ] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I’ve included tests if applicable
- [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.
## **Pre-merge reviewer checklist**
- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
---------
Co-authored-by: MetaMask Bot
---
lavamoat/browserify/beta/policy.json | 17 ++++++++++++++++-
lavamoat/browserify/flask/policy.json | 17 ++++++++++++++++-
lavamoat/browserify/main/policy.json | 17 ++++++++++++++++-
lavamoat/browserify/mmi/policy.json | 17 ++++++++++++++++-
package.json | 2 +-
yarn.lock | 24 ++++++++++++------------
6 files changed, 77 insertions(+), 17 deletions(-)
diff --git a/lavamoat/browserify/beta/policy.json b/lavamoat/browserify/beta/policy.json
index ee84b5c3e0e8..e55d57f5ec0f 100644
--- a/lavamoat/browserify/beta/policy.json
+++ b/lavamoat/browserify/beta/policy.json
@@ -1835,7 +1835,7 @@
"@metamask/network-controller": true,
"@metamask/transaction-controller>@metamask/nonce-tracker": true,
"@metamask/rpc-errors": true,
- "@metamask/utils": true,
+ "@metamask/transaction-controller>@metamask/utils": true,
"@metamask/name-controller>async-mutex": true,
"bn.js": true,
"browserify>buffer": true,
@@ -2256,6 +2256,21 @@
"semver": true
}
},
+ "@metamask/transaction-controller>@metamask/utils": {
+ "globals": {
+ "TextDecoder": true,
+ "TextEncoder": true
+ },
+ "packages": {
+ "@metamask/utils>@metamask/superstruct": true,
+ "@noble/hashes": true,
+ "@metamask/utils>@scure/base": true,
+ "browserify>buffer": true,
+ "nock>debug": true,
+ "@metamask/utils>pony-cause": true,
+ "semver": true
+ }
+ },
"@ngraveio/bc-ur": {
"packages": {
"@ngraveio/bc-ur>@keystonehq/alias-sampling": true,
diff --git a/lavamoat/browserify/flask/policy.json b/lavamoat/browserify/flask/policy.json
index ee84b5c3e0e8..e55d57f5ec0f 100644
--- a/lavamoat/browserify/flask/policy.json
+++ b/lavamoat/browserify/flask/policy.json
@@ -1835,7 +1835,7 @@
"@metamask/network-controller": true,
"@metamask/transaction-controller>@metamask/nonce-tracker": true,
"@metamask/rpc-errors": true,
- "@metamask/utils": true,
+ "@metamask/transaction-controller>@metamask/utils": true,
"@metamask/name-controller>async-mutex": true,
"bn.js": true,
"browserify>buffer": true,
@@ -2256,6 +2256,21 @@
"semver": true
}
},
+ "@metamask/transaction-controller>@metamask/utils": {
+ "globals": {
+ "TextDecoder": true,
+ "TextEncoder": true
+ },
+ "packages": {
+ "@metamask/utils>@metamask/superstruct": true,
+ "@noble/hashes": true,
+ "@metamask/utils>@scure/base": true,
+ "browserify>buffer": true,
+ "nock>debug": true,
+ "@metamask/utils>pony-cause": true,
+ "semver": true
+ }
+ },
"@ngraveio/bc-ur": {
"packages": {
"@ngraveio/bc-ur>@keystonehq/alias-sampling": true,
diff --git a/lavamoat/browserify/main/policy.json b/lavamoat/browserify/main/policy.json
index ee84b5c3e0e8..e55d57f5ec0f 100644
--- a/lavamoat/browserify/main/policy.json
+++ b/lavamoat/browserify/main/policy.json
@@ -1835,7 +1835,7 @@
"@metamask/network-controller": true,
"@metamask/transaction-controller>@metamask/nonce-tracker": true,
"@metamask/rpc-errors": true,
- "@metamask/utils": true,
+ "@metamask/transaction-controller>@metamask/utils": true,
"@metamask/name-controller>async-mutex": true,
"bn.js": true,
"browserify>buffer": true,
@@ -2256,6 +2256,21 @@
"semver": true
}
},
+ "@metamask/transaction-controller>@metamask/utils": {
+ "globals": {
+ "TextDecoder": true,
+ "TextEncoder": true
+ },
+ "packages": {
+ "@metamask/utils>@metamask/superstruct": true,
+ "@noble/hashes": true,
+ "@metamask/utils>@scure/base": true,
+ "browserify>buffer": true,
+ "nock>debug": true,
+ "@metamask/utils>pony-cause": true,
+ "semver": true
+ }
+ },
"@ngraveio/bc-ur": {
"packages": {
"@ngraveio/bc-ur>@keystonehq/alias-sampling": true,
diff --git a/lavamoat/browserify/mmi/policy.json b/lavamoat/browserify/mmi/policy.json
index 831feb96e1c5..5658498ad3a7 100644
--- a/lavamoat/browserify/mmi/policy.json
+++ b/lavamoat/browserify/mmi/policy.json
@@ -1927,7 +1927,7 @@
"@metamask/network-controller": true,
"@metamask/transaction-controller>@metamask/nonce-tracker": true,
"@metamask/rpc-errors": true,
- "@metamask/utils": true,
+ "@metamask/transaction-controller>@metamask/utils": true,
"@metamask/name-controller>async-mutex": true,
"bn.js": true,
"browserify>buffer": true,
@@ -2348,6 +2348,21 @@
"semver": true
}
},
+ "@metamask/transaction-controller>@metamask/utils": {
+ "globals": {
+ "TextDecoder": true,
+ "TextEncoder": true
+ },
+ "packages": {
+ "@metamask/utils>@metamask/superstruct": true,
+ "@noble/hashes": true,
+ "@metamask/utils>@scure/base": true,
+ "browserify>buffer": true,
+ "nock>debug": true,
+ "@metamask/utils>pony-cause": true,
+ "semver": true
+ }
+ },
"@ngraveio/bc-ur": {
"packages": {
"@ngraveio/bc-ur>@keystonehq/alias-sampling": true,
diff --git a/package.json b/package.json
index 4a7632d2d2d3..da93c6c75761 100644
--- a/package.json
+++ b/package.json
@@ -349,7 +349,7 @@
"@metamask/snaps-sdk": "^6.14.0",
"@metamask/snaps-utils": "^8.7.0",
"@metamask/solana-wallet-snap": "^1.0.4",
- "@metamask/transaction-controller": "^42.0.0",
+ "@metamask/transaction-controller": "^42.1.0",
"@metamask/user-operation-controller": "^21.0.0",
"@metamask/utils": "^10.0.1",
"@ngraveio/bc-ur": "^1.1.12",
diff --git a/yarn.lock b/yarn.lock
index e00947e58386..f45eb5cf233e 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -5095,13 +5095,13 @@ __metadata:
languageName: node
linkType: hard
-"@metamask/base-controller@npm:^7.0.0, @metamask/base-controller@npm:^7.0.1, @metamask/base-controller@npm:^7.0.2":
- version: 7.0.2
- resolution: "@metamask/base-controller@npm:7.0.2"
+"@metamask/base-controller@npm:^7.0.0, @metamask/base-controller@npm:^7.0.1, @metamask/base-controller@npm:^7.0.2, @metamask/base-controller@npm:^7.1.0":
+ version: 7.1.0
+ resolution: "@metamask/base-controller@npm:7.1.0"
dependencies:
"@metamask/utils": "npm:^10.0.0"
immer: "npm:^9.0.6"
- checksum: 10/6f78ec5af840c9947aa8eac6e402df6469600260d613a92196daefd5b072097a176fe5da1c386f2d36853513254b74140d667d817a12880c46f088e18ff3606a
+ checksum: 10/5a0b50c1e096cbf6483e308eddb3ca2e5e1865b803b5dba778bf635ec59657290895e21ada71c7508d8e34ff9695a192a414fd75e287d290346359ef8e23960a
languageName: node
linkType: hard
@@ -6446,9 +6446,9 @@ __metadata:
languageName: node
linkType: hard
-"@metamask/transaction-controller@npm:^42.0.0":
- version: 42.0.0
- resolution: "@metamask/transaction-controller@npm:42.0.0"
+"@metamask/transaction-controller@npm:^42.1.0":
+ version: 42.1.0
+ resolution: "@metamask/transaction-controller@npm:42.1.0"
dependencies:
"@ethereumjs/common": "npm:^3.2.0"
"@ethereumjs/tx": "npm:^4.2.0"
@@ -6456,13 +6456,13 @@ __metadata:
"@ethersproject/abi": "npm:^5.7.0"
"@ethersproject/contracts": "npm:^5.7.0"
"@ethersproject/providers": "npm:^5.7.0"
- "@metamask/base-controller": "npm:^7.0.2"
+ "@metamask/base-controller": "npm:^7.1.0"
"@metamask/controller-utils": "npm:^11.4.4"
"@metamask/eth-query": "npm:^4.0.0"
"@metamask/metamask-eth-abis": "npm:^3.1.1"
"@metamask/nonce-tracker": "npm:^6.0.0"
- "@metamask/rpc-errors": "npm:^7.0.1"
- "@metamask/utils": "npm:^10.0.0"
+ "@metamask/rpc-errors": "npm:^7.0.2"
+ "@metamask/utils": "npm:^11.0.1"
async-mutex: "npm:^0.5.0"
bn.js: "npm:^5.2.1"
eth-method-registry: "npm:^4.0.0"
@@ -6476,7 +6476,7 @@ __metadata:
"@metamask/eth-block-tracker": ">=9"
"@metamask/gas-fee-controller": ^22.0.0
"@metamask/network-controller": ^22.0.0
- checksum: 10/73c510803a720b4c1da0b82f1279a404a9b11c4ab76f8e5e4378c65d5d08bbb32c52062abfe319476cc3f5e2623a8987775c4524e55aa94002af73d73721b869
+ checksum: 10/9f842e2b68e84cbffdda301a0e15faab08226fd8e22eb954690ed41df60fe92c24acffdd9186b4c9f1da911a368cbe22cdb9ee046fc02d079c53f76100c66755
languageName: node
linkType: hard
@@ -26683,7 +26683,7 @@ __metadata:
"@metamask/solana-wallet-snap": "npm:^1.0.4"
"@metamask/test-bundler": "npm:^1.0.0"
"@metamask/test-dapp": "npm:8.13.0"
- "@metamask/transaction-controller": "npm:^42.0.0"
+ "@metamask/transaction-controller": "npm:^42.1.0"
"@metamask/user-operation-controller": "npm:^21.0.0"
"@metamask/utils": "npm:^10.0.1"
"@ngraveio/bc-ur": "npm:^1.1.12"