-
-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Fix eth_signTypedData
signatures containing 0x
#7886
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #7886 +/- ##
=======================================
Coverage 37.44% 37.44%
=======================================
Files 1052 1052
Lines 28193 28193
Branches 2517 2517
=======================================
Hits 10557 10557
Misses 17037 17037
Partials 599 599 ☔ View full report in Codecov by Sentry. |
FYI, pending release proposals for actually fixing the issue in |
a639e5f
to
d9957de
Compare
Alternatively/additionally, #7902 should resolve the issue by replacing both affected versions with fixed updates. |
d9957de
to
9d74213
Compare
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
Updated dependencies detected. Learn more about Socket for GitHub ↗︎
|
👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎ This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring: Next stepsTake a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with |
Thanks @legobeat ! That does look like a simpler solution than a patch. I've stolen that commit from your PR and paired it with a test-dapp bump, so that we can consolidate the e2e test coverage and test evidence in one place. |
@SocketSecurity ignore @metamask/eth-sig-util@6.0.2
|
This would be ready for review, except that attempts to test this are blocked by #7920 The e2e regression tests are failing for that same reason |
9c2523c
to
1b308bf
Compare
Passing e2e smoke test run: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/5b720d88-8e03-4a03-aa55-e55452fa0bb2 Passing e2e regression test run: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/36bd1108-3d0e-46b2-8273-bd0b46849cfc |
1b308bf
to
a835b4f
Compare
E2E test started on Bitrise: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/aabbb8b7-bda6-4046-af19-c34f754644fa |
The v8 release includes an update to the example message used by the `eth_signTypedData_v4` button. The updated message was affected by the bug that this PR should resolve.
a835b4f
to
1805d16
Compare
Kudos, SonarCloud Quality Gate passed! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Gudahtt this PR is ✅
In addition to what the E2E tests covered, I also tested signing transactions using keystone.
Additionally I went ahead and did a quick smoke test on one of the dapps used to reproduce the issue.
Scenario:
connect to dapp via WC
proceed to sign a txn.
upon doing so I no longer can reproduce the bug:
iOS: http://recordit.co/aPTiJWrDDq
Android: http://recordit.co/Xpu37j5zVI
Compared to prod where the bug is reproducible: http://recordit.co/UjZ4hqsjHy
Hi @Gudahtt , do you think this issue is related? |
No release label at all on PR. Adding release label release-7.12.5 on PR, as PR was cherry-picked in branch 7.12.5. |
Description
In v7.10.0, signatures including a
bytes
field with the value0x
were being encoded differently than before. Previously the string0x
was interpreted as an "empty" hex number, but as of v7.10.0 they were encoded as the string "0x". This change was not intentional, and it resulted in invalid signatures.This problem was introduced in
@metamask/eth-sig-util@6.0.1
(see here for details: MetaMask/eth-sig-util#340). This package was introduced to mobile when@metamask/keyring-controller
was updated to v6 (#7267). The keyrings themselves still use@metamask/eth-sig-util@5.0.1
, but theKeyringController
is signing these messages directly rather than delegating to the keyrings, which is why the newer@metamask/eth-sig-util
package is used here.This has been resolved by updating all affected versions of
@metamask/eth-sig-util
.Related issues
Fixes #7792
Manual testing steps
eth_signTypedData_v4
Screenshots/Recordings
Before
https://recordit.co/xejXpo4mlh
After
https://recordit.co/NnnpxbCVRB
Pre-merge author checklist
Pre-merge reviewer checklist