-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor sanitization middleware #6079
Conversation
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
cccc5bf
to
14ec917
Compare
No dependency changes detected. Learn more about Socket for GitHub ↗︎ 👍 No dependency changes detected in pull request Pull request alert summary
|
bbfe0c6
to
f9107be
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This generally looks correct to me! Both the functionality and the way the middleware was integrated. I left a bunch of suggestions on improving the types.
The main question I have left is about whether we should restrict this just to eth_call
. From reading the code, it still seems like any requests bound for the network (e.g. anything not intercepted by the RPCMethodMiddleware
module) would be processed by this middleware.
I'll keep looking into that, but if you could share your method of testing that, that might be helpful. I recall you saying that you did some testing already.
f9107be
to
cdd1f99
Compare
8176cdc
to
c8247bb
Compare
I am investigating this:
Once that question is answered, this will be ready for review Edit: Also would be nice to add JSDocs |
c8247bb
to
fe4cafe
Compare
I have reviewed all supported RPC methods to see which might be affected by the santization middleware today in This middleware only affects requests with an object as the first parameter. The Infura methods with an object as the first parameter are:
|
The only first-parameter property for For It seems that the santization middleware was written to account for all known Infura/Ethereum RPC methods at the time, but doesn't count for parameters added in later EIPs. This seems to confirm that this affects all methods that reach the network middleware, not just |
I have marked this as "Spot Check on the Release Build" because this PR is anticipated to have no functional change, but the affected functionality isn't covered by any e2e tests, and adding e2e coverage would be challenging and potentially unsuited for the e2e test suite anyway. |
@Gudahtt I've double-checked your work against the Infura docs, and you are correct about I also looked at the Ethereum execution API docs, and it appears that some new RPC methods have been added since I last looked. These are the ones affected, with the parameters that would be excluded (skipping
Not sure it is worth considering these, but I've noted them for completeness. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Just one clarifying question.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested the test dapp as well as other dapp interactions. Nothing to report here. ✅
Development & PR Process
release-xx
label to identify the PR slated for a upcoming release (will be used in release discussion)needs-dev-review
label when work is completedneeds-qa
label when dev review is completedQA Passed
label when QA has signed offDescription
Add sanitiziation RPC middleware to process requests just before they get sent into our internal network provider. This is meant to be a refactor with no functional changes; this middleware is identical to the middleware already used today within
web3-provider-engine
.This is being added so that we can remove
web3-provider-engine
with fewer functional changes.Test Instructions
This should have no functional impact. This middleware is expected to process any RPC request not intercepted earlier in the pipeline however (essentially any request that gets sent to the RPC endpoint). It should ignore most requests (as the unit tests demonstrate), but it will process any that have an object as the first parameter. Known examples are
eth_call
,eth_estimateGas
, andeth_getLogs
.To manually test this, you could try invoking these methods with parameters that the middleware should be expected to filter out. Or invoke them with parameters that are allowed, to confirm they remain unaffected. You could also try testing requests that we anticipate are unaffected. In all cases, we should see the same behavior before and after.
The test dapp has a new "Request" page that might be useful in testing this. See the README Usage section for details: https://github.com/MetaMask/test-dapp
Issue
Closes #5846
Checklist