Properly secure snap and ethereum request functions (#1214)

MetaMask · Feb 20, 2023 · dea4030 · dea4030
1 parent 27791fd
commit dea4030
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts b/packages/snaps-execution-environments/src/common/BaseSnapExecutor.ts
@@ -384,7 +384,8 @@ export class BaseSnapExecutor {
 
     const request = async (args: RequestArguments) => {
       assert(
-        args.method.startsWith('wallet_') || args.method.startsWith('snap_'),
+        String.prototype.startsWith.call(args.method, 'wallet_') ||
+          String.prototype.startsWith.call(args.method, 'snap_'),
         'The global Snap API only allows RPC methods starting with `wallet_*` and `snap_*`.',
       );
       this.notify({ method: 'OutboundRequest' });
@@ -427,7 +428,7 @@ export class BaseSnapExecutor {
 
     const request = async (args: RequestArguments) => {
       assert(
-        !args.method.startsWith('snap_'),
+        !String.prototype.startsWith.call(args.method, 'snap_'),
         ethErrors.rpc.methodNotFound({
           data: {
             method: args.method,

diff --git a/packages/snaps-execution-environments/src/common/test-utils/endowments.ts b/packages/snaps-execution-environments/src/common/test-utils/endowments.ts
@@ -52,7 +52,7 @@ export function getMockedStreamProvider() {
 
   const request = async (args: RequestArguments) => {
     assert(
-      !args.method.startsWith('snap_'),
+      !String.prototype.startsWith.call(args.method, 'snap_'),
       ethErrors.rpc.methodNotFound({
         data: {
           method: args.method,