fix: Make QR scanner more strict

The QR scanner is now more strict about the contents it allows to be scanned. If the scanned QR code deviates at all from the supported formats, it will retur "unknown" as the result (as it always has for completely unrecognized QR codes). Previously we would accept QR codes with a recognized prefix even if the complete contents did not match our expectations, which has resulted in unexpected behavior.
MetaMask · Nov 18, 2024 · adc5f3c · adc5f3c
1 parent ee75939
commit adc5f3c
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/ui/components/app/modals/qr-scanner/qr-scanner.component.js b/ui/components/app/modals/qr-scanner/qr-scanner.component.js
@@ -22,6 +22,10 @@ const READY_STATE = {
   READY: 'READY',
 };
 
+const ethereumPrefix = 'ethereum:';
+// A 0x-prefixed Ethereum address is 42 characters (2 prefix + 40 address)
+const addressLength = 42;
+
 const parseContent = (content) => {
   let type = 'unknown';
   let values = {};
@@ -31,12 +35,18 @@ const parseContent = (content) => {
   // For ex. EIP-681 (https://eips.ethereum.org/EIPS/eip-681)
 
   // Ethereum address links - fox ex. ethereum:0x.....1111
-  if (content.split('ethereum:').length > 1) {
+  if (
+    content.split(ethereumPrefix).length > 1 &&
+    content.length === ethereumPrefix.length + addressLength
+  ) {
     type = 'address';
-    // uses regex capture groups to match and extract address while ignoring everything else
+    // uses regex capture groups to match and extract address
     values = { address: parseScanContent(content) };
     // Regular ethereum addresses - fox ex. 0x.....1111
-  } else if (content.substring(0, 2).toLowerCase() === '0x') {
+  } else if (
+    content.substring(0, 2).toLowerCase() === '0x' &&
+    content.length === addressLength
+  ) {
     type = 'address';
     values = { address: content };
   }