Add check against sending menmonics to search

oasisprotocol · Jul 4, 2023 · fcdd0a9 · fcdd0a9
1 parent 28a4d6d
commit fcdd0a9
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 6 deletions.
diff --git a/.changelog/656.feature.md b/.changelog/656.feature.md
@@ -0,0 +1 @@
+Add check against sending menmonics to search
diff --git a/src/app/components/Search/index.tsx b/src/app/components/Search/index.tsx
@@ -106,6 +106,11 @@ const decodeSearchErrorCode = (code: SearchErrorCode, t: TFunction): string => {
   switch (code) {
     case 'TOO_SHORT':
       return t('search.error.tooShort')
+    case 'PRIVACY':
+      return t('search.error.privacy', {
+        appName: t('pageTitle'),
+        wordsOfPower: t('search.wordsOfPower'),
+      })
     default:
       exhaustedTypeWarning('Unexpected search error code', code)
       return code

diff --git a/src/app/components/Search/privacy-protection.ts b/src/app/components/Search/privacy-protection.ts
@@ -0,0 +1,18 @@
+import { SearchError } from './search-utils'
+import { TFunction } from 'i18next'
+import { isValidMnemonic } from '../../utils/helpers'
+
+/**
+ * Try to determine whether a search term is safe to send over to the server
+ */
+export const isSafeToSend = (searchTerm: string): boolean => !isValidMnemonic(searchTerm)
+
+export const checkForSearchPrivacyProtection = (searchTerm: string, t?: TFunction): string | undefined => {
+  const wordsOfPower = t ? t('search.wordsOfPower') : undefined
+  if (!!wordsOfPower && searchTerm.toLowerCase().startsWith(wordsOfPower.toLowerCase())) {
+    return searchTerm.substring(wordsOfPower.length).trim().toLowerCase()
+  } else if (isSafeToSend(searchTerm)) {
+    return searchTerm.toLowerCase()
+  }
+  throw new SearchError('PRIVACY')
+}
diff --git a/src/app/components/Search/search-utils.ts b/src/app/components/Search/search-utils.ts
@@ -12,6 +12,7 @@ import { RouteUtils, SpecifiedPerEnabledLayer } from '../../utils/route-utils'
 import { AppError, AppErrors } from '../../../types/errors'
 import { Layer } from '../../../oasis-nexus/api'
 import { TFunction } from 'i18next'
+import { checkForSearchPrivacyProtection } from './privacy-protection'
 
 type LayerSuggestions = {
   suggestedBlock: string
@@ -20,7 +21,7 @@ type LayerSuggestions = {
   suggestedTokenFragment: string
 }
 
-export type SearchErrorCode = 'TOO_SHORT'
+export type SearchErrorCode = 'TOO_SHORT' | 'PRIVACY'
 
 export class SearchError extends Error {
   // eslint-disable-next-line @typescript-eslint/no-useless-constructor
@@ -100,11 +101,12 @@ export const validateAndNormalize = {
       return searchTerm.toLowerCase()
     }
   },
-  evmTokenNameFragment: (searchTerm: string) => {
-    if (searchTerm.length < 3) {
+  evmTokenNameFragment: (searchTerm: string, t?: TFunction) => {
+    const term = checkForSearchPrivacyProtection(searchTerm, t)
+    if (!!term && term.length < 3) {
       throw new SearchError('TOO_SHORT')
     }
-    return searchTerm
+    return term
   },
 } satisfies Record<string, ValidatorFunction>
 

diff --git a/src/locales/en/translation.json b/src/locales/en/translation.json
@@ -365,7 +365,8 @@
   "search": {
     "placeholder": "Address, Block, Contract, Txn Hash, Transaction ID, Token name, etc",
     "error": {
-      "tooShort": "Please enter at least 3 characters for a full-text search!"
+      "tooShort": "Please enter at least 3 characters for a full-text search!",
+      "privacy": "This thing that you are trying to search for looks an awful lot like a mnemonic for an Oasis wallet. Please note that this is super-secret data that should never ever be shared with anyone; not even with such excellent services as our {{ appName }}. That being said, we are not here to tell you what you can or can not do with your own data, so if you insist, we WILL search for it. So, if you really think that there is a token with a name that contains this, then in order to signify that you understand and accept the terrible risk of sending this data to our servers, please insert this to the beginning of your search: '{{ wordsOfPower }}'! (Without quotation marks, of course.) If you do so, we will comply with your command."
     },
     "mobilePlaceholder": "Search Address, Block, Txn, Token, etc",
     "noResults": {
@@ -402,6 +403,7 @@
     },
     "searchBtnText": "Search",
     "searchSuggestions": "Not sure what to look for? Try out a search: <OptionalBreak><BlockLink><BlockIcon/> Block</BlockLink>, <TransactionLink><TransactionIcon/> Transaction</TransactionLink>, <AccountLink><AccountIcon/> Address</AccountLink>, <TokenLink><TokenIcon/> Token</TokenLink> </OptionalBreak>",
-    "sectionHeader": "Results on {{ scope }}"
+    "sectionHeader": "Results on {{ scope }}",
+    "wordsOfPower": "I COMMAND THEE TO SEARCH FOR"
   }
 }