walletconnect: sanitize 712 signs #5159
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
APP-810 Verify message payload to protect from EIP 712 injection
Context: https://www.coinspect.com/wallet-EIP-712-injection-vulnerability/ This has been resolved on the BX, please see Bruno's comment below |
|
Testing against https://se-sdk-dapp.vercel.app/ |
jinchung
requested changes
Oct 27, 2023
ibrahimtaveras00
approved these changes
Nov 1, 2023
There was a problem hiding this comment.
Looked good on both OS's 👍🏽
- https://se-sdk-dapp.vercel.app/
- https://react-auth-dapp.walletconnect.com/
- opensea.io (connect & sign)
BrodyHughes
added a commit
that referenced
this pull request
Nov 15, 2023
…brody/QR-code-scanner-fixes * 'develop' of https://github.com/rainbow-me/rainbow: [PATCH]: react-native-fast-image iOS 17 spec (#5188) Feature: Add remote promo sheet (#5140) mints: fix insufficient eth check (#5186) sends: fix prev sends logic (#5185) Update copy for an Error Occurred message for Support (#5187) Fixes for activity list coin icons and migrating some components to network instead of assetType (#5143) audit: axios + reservior client bump (#5184) bump to v1.9.10 (#5183) nonces: reset nonces (#5170) Cleanup unused coinrow components (#5142) reviews: bump watch wallet threshold (#5181) lang: fix english revert (#5182) WC: enabled eth_sign but only for connections (#5180) wc: use methodRegistry on all networks (#5179) bump to v1.9.9 (#5173) walletconnect: sanitize 712 signs (#5159)
dereknelson
added a commit
that referenced
this pull request
Dec 5, 2023
* bump to v1.9.7 (#5133) * networks: rm override (#5118) * networks: rm override * oop * positions: sort by value (#5119) * readme: update download links (#5120) * Add Browser extension hyperlink to README * readme: refferal links * fix android link --------- Co-authored-by: David Cardenas <47157243+davidcardenasus@users.noreply.github.com> * swaps: fix crosschain chainID in seach (#5135) * send: fix max send for native balances (#5126) * send: fix max send for native balances * code review * Removing unnecessary await and simplifying updateMaxBalance useEffect in SendSheet --------- Co-authored-by: jinchung <jin.chung17@gmail.com> * change default behavior to not allow click through (#5136) * Prompt app reviews after interaction (#5125) * feat: define review prompt actions * install expo review module and adjust mmkv schema to add review tracking * add expo-store-review module * refactor review alert to be dynamic and accept a range of actions * remove expo-store-review for now * add prompt on x launches after install and on watch wallet * fix: initialize review storage changes * feat: add ens registration review prompt * feat: add rest of review prompts * Update src/screens/WalletConnectApprovalSheet.js * Update src/utils/reviewAlert.ts * Update src/utils/reviewAlert.ts * fix: toggling price dispatch action issue * Update src/utils/reviewAlert.ts * chore: remove hiding review in settings * chore: code review changes * sign * chore: code review changes * change migration * Points v0 (#5134) * Add points tab, speed up tab switching * Fix wallet screen scroll to top * Fix type error, remove old code * e2e fixes * Fix remote config --------- Co-authored-by: Christian Baroni <7061887+christianbaroni@users.noreply.github.com> Co-authored-by: skylarbarrera <skylar.barrera@gmail.com> * Points cleanup (#5139) * Add gravity emojis, fix parachute icon * Fix wallet screen scroll indicator --------- Co-authored-by: Christian Baroni <7061887+christianbaroni@users.noreply.github.com> * Fix: Automatic WC redirect back to browser is broken on iOS 17 (#5127) * add WALLET_CONNECT_REDIRECT_SHEET navigation on connection * fix: lint picked up merging filepaths together issue * fix ios 16 regression * revert: pbx file * revert: pbx file * revert: pbx file * sign * fix: guard minimizer.goBack functionality to Android only * fix: sign window not closing and not showing sign txn redirect sheet * audit: react-devtools-core (#5145) * fix android crash and change wallet connect placement of review prompt (#5146) * [Android Only] Some buttons are not working (#5149) * fix gas selector context menu on the droid * fix edit wallet context menu * fix transaction context menu * rm commented out section * rm console log * fix ens intro sheet context menu * wc: always show connected dapps (#5148) * Fix button press animation, scroll indicators (#5144) * Fix button press animation * Fix scroll indicator insets * Bring back squircles Lost them in the RN upgrade --------- Co-authored-by: Christian Baroni <7061887+christianbaroni@users.noreply.github.com> * fix (#5138) * @matthew/revert disallow interruption (#5152) * writing package to hide navigation / status bar for Android 21+ devices * change system navigation behavior on Android and consume themes * revert: disallow interruption (messes with context menus on Android) * revert system nav carry over * rev * rev mainapplication.java * smh * bump to v1.9.8 (#5153) * Disabling animation interval when IS_TESTING is true (#5156) * Review Alert block E2E tests, disabling when IS_TESTING=true (#5155) * mints: add tx fee buffer (#5157) * wallet: rm legacy eth_sign (#5137) * wallet: rm legacy eth_sign * Cleanup of unused imports and functions --------- Co-authored-by: jinchung <jin.chung17@gmail.com> * Fixed E2E test DiscoverSheetFlow (#5160) * Reenabled tests in deeplinks and sendSheetFlow (#5161) * remove prompt during wallet connect flow. it's not feasible (#5163) * remove prompt during wallet connect flow. it's not feasible * rev pbx smh * mints: l1fee + value fix (#5162) * Revert "mints: l1fee + value fix (#5162)" (#5166) This reverts commit 8224e4c. * audit: browserify-sign (#5168) * Remove account assets redux (#5131) * Create hook for selecting user asset by unique ID * Replace account assets redux usage with react-query cache in useAccountAsset hook * Replace account assets redux usage with react-query cache in TransactionCoinRow This component is not actually used * Replace accountAssetsData with react-query in txn details value and fee section * Create and replace with new sorted user assets hook * Replace useAssetsInWallet hook * Remove old asset selectors * In useAccountTransactions hook, replace redux account data with react-query cache * In ethereumUtils for account asset data, replace redux usage with query cache * Fix UserAssetsQuery: Remove accountAssetsData from redux data * Remove user assets query in WalletScreen - use buildWalletSections instead * Replace isLoadingAssets in buildWalletSections and useWalletSectionsData * Replace isLoadingAssets in account empty state and WalletScreen * Replace isLoadingAssets in AssetListHeader * Replace isLoadingAssets in ProfileBalanceRow * Remove isLoadingAssets in RefreshControl * Replace isLoadingAssets with walletReady event in deeplink handler * Remove isLoadingAssets from redux data * Fix default hardhatAssets result * Support QueryConfig with separate return data type * Update UserAssetsQuery to use new QueryConfigWithSelect type * mints: l1fee + value fix (#5167) * mints: l1fee + value fix * fix issues * lowercase mintdotfun * bump reservior package * rm depdebug import * reservior client api updates * WC: dapp warnings (#5147) * init dapp warnings * fix info alert title weight * query clean up * info alert * i18n * rm logs * types + authRequests * i18n + verified context for wc connections * fix text padding * clean up * lint * updated packages & patches * updated tcp patch to fix duplicate symbols issue * walletconnect: sanitize 712 signs (#5159) * util * tx signatures * display * fix parsing * package updates * bump to v1.9.9 (#5173) * wc: use methodRegistry on all networks (#5179) * WC: enabled eth_sign but only for connections (#5180) * Revert "wallet: rm legacy eth_sign" This reverts commit 2ed90ae. * throw error on eth_sign requests * show error sheet * lang: fix english revert (#5182) * reviews: bump watch wallet threshold (#5181) * Cleanup unused coinrow components (#5142) * Remove unused BalanceCoinRow * Remove unused function in SharedValuesContext for isCoinListEdited * Remove RecyclerActivityList * Remove unused TransactionCoinRow * Remove unused ContractInteractionCoinRow * Remove unused BalanceText * Remove unused TransactionStatusBadge * Remove unused ProfileMasthead * Remove unused transactionActions helpers * Remove unused transaction helper functions * nonces: reset nonces (#5170) * resetNonces helper * name * reset nonces * bump to v1.9.10 (#5183) * audit: axios + reservior client bump (#5184) * audit: axios + reservior client bump * ts * Fixes for activity list coin icons and migrating some components to network instead of assetType (#5143) * Replace assetType with network in getUrlForTrustIconFallback * Update components using FastCoinIcon to pass network instead of assetType * Update local cache state updates in FastFallbackCoinIconImage and remove react-coin-icon usage inFastFallbackCoinIconImage * Update copy for an Error Occurred message for Support (#5187) * change email subject and add a learn more button on the alert dialog * update copy * sends: fix prev sends logic (#5185) * send: check tx.from * oop * lowercase * mints: fix insufficient eth check (#5186) * fix insufficient eth check * oop * Feature: Add remote promo sheet (#5140) * feat: initial work on generalizing promo sheet checks and remote promo sheet component * more work on remote promo sheets * update queries * Update arc.graphql to expose promoSheet and promoSheetCollection * update campaign checks and consume getPromoSheet query * write promoSheet and promoSheetCollection queries * add remote promo sheet route and name * add a couple mmkv STORAGE_IDS to control whether or not we show promos * add remote promo sheets feature flag * tweak remote promo sheet logic * fix signing remote images * more sanity checks and refetch interval * add RemotePromoSheetProvider and remove unnecessary campaignChecks * tweak checks and add Context/Provider for controlling remote promo sheets * re-enable firstLaunch and hasViewed checks * another sanity check * fix hasNonZeroAssetBalance * update check fns * add campaign storage to @storage model * update fns and remove some unused ones * update arc.graphql query to include priority * update provider and sheet to use @storage * add priority tag to collection query * update check for campaign to use @/storage and abstraction of check-fns to reduce boilerplate * adjust asset check fns * syncronize feature unlocks and campaign checks * add notifications promo and cleanup analytic events * add nft offers promo sheet and cleanup priority logic * fix conflicting nft offers asset type with contentful * replace PromoSheet analytics with v2 * revert graphql arc config change and cleanup local promo sheets * enable i18n in contentful and pass locale through * enable i18n clientside * update language * remove unused campaigns folder and uncomment check * remove unused campaigns folder * fix lint and func name * pass all locales through localized fields * change default colors to hex * add specific address for testing preview purposes * final touches * re-add hasShown check * add isPreviewing actionFn to bypass hasShown check * get color from theme if primary/secondary button has that prop * add network to asset check * [PATCH]: react-native-fast-image iOS 17 spec (#5188) * fix: patch rnfi to iOS 17 spec * add initial and new patch * delete original patch file * add nl char * [Android] Fix: Hide Navigation & Status bar (#5150) * writing package to hide navigation / status bar for Android 21+ devices * change system navigation behavior on Android and consume themes * fix: keep status bar from hiding * fix: QA issues * fix double swipe bug by just changing color of navbar * fix: support both 3-button and gesture navigation * rm unused imports * rev ios pbx file * fix profile screen not going under nav bar * fix mint sheet scroll issue * Update src/components/sheet/SlackSheet.js * . (#5191) * RPC Proxy (#5169) * progress * use remote flag * types * put back config * [APP-917]: Minimum recieved shown in wei not in ETH on eth to weth swap on Arbitrum in latest iOS prod (#5192) * add arb one native swap * change name to make more sense * wc: tx simulation (#5177) * Simulation UI setup * [Revert later] Hook up to Copy button for testing * Fix card auto sizing, scroll handling * Couple more fixes, add message card * types * init * color * disabled sim for personal sign * fix request type label * fix unlimited checlk * Add simplified chain badge component * save * android + dismiss * ts-ignore * POST * i18n + clean up * review clean up * clean up * xtra clean up * clean up * copy + long account names --------- Co-authored-by: Christian Baroni <7061887+christianbaroni@users.noreply.github.com> * revert onpress (#5193) * [Android]: Random bug fixes (#5195) * fix gradient on bottom of nft send sheet * fix zora eth to weth swap decimal place * adjust detection for button navigation * Update src/hooks/useSwapAdjustedAmounts.ts * fix overflow issue with language sheet * fix lint * Simulation fixes (#5194) * Use simulation fetch config * Update green/red colors * Add Moti * Clean up routes, use signTransactionSheetConfig on iOS * UI cleanup, state fixes, make cards expandable * Trim trailing zeros from simulation amounts * Fix GasSpeedButton jank * Block signing sheet dismiss gestures * Revert "Update green/red colors" This reverts commit 50ee10d. * Fixed: Update green/red colors * Fix button shadows * Fix display nonce * Remove unused code * Fix type * Upgrade reanimated to fix crash * Cleanup * Fix type errors from reanimated upgrade * lint * Fix Android scrolling * Revert "lint" This reverts commit 94fbd40. * Revert "Fix type errors from reanimated upgrade" This reverts commit 8cf75da. * Revert "Upgrade reanimated to fix crash" This reverts commit 22d1b0b. * Prevent crash without upgrading reanimated Moving the reanimated upgrade to another PR * Fix zIndex * Android fixes --------- Co-authored-by: Christian Baroni <7061887+christianbaroni@users.noreply.github.com> Co-authored-by: Ben Goldberg <bengoldberg@rainbow.me> * v bump 1.9.11 (#5204) * . * oops * oops * removed sentry * i think i hallucinated this repo * added scheme * chore: supply metadata graphql api key (#5211) * working prebuild script * fix: prebuild.sh files not working with eval (#5215) * handle hex tx types (#5214) * tx sim: error handling for unknown urls (#5213) * add .easignore step (#5216) * [APP-379]: Update client to use new token search aggregator across networks (#5190) * update rainbow fetch to be typed and update token search endpoint * fix swap currency list * update interfaces and transforms * idkwtf i'm doing * remove unused mapping * revert swap changes and fix icon_url * fix lint * Android Expo build (#5218) * android changes * refresh lock file * update android local build progress * add setup-env scripts * remove compilation errors for rn plaid --------- Co-authored-by: Ibrahim Taveras <ibrahim@rainbow.me> Co-authored-by: Skylar Barrera <skylar.barrera@gmail.com> Co-authored-by: David Cardenas <47157243+davidcardenasus@users.noreply.github.com> Co-authored-by: jinchung <jin.chung17@gmail.com> Co-authored-by: Matthew Wall <matthew.wallt@gmail.com> Co-authored-by: Christian Baroni <christianbaroni@me.com> Co-authored-by: Christian Baroni <7061887+christianbaroni@users.noreply.github.com> Co-authored-by: brdy <41711440+BrodyHughes@users.noreply.github.com> Co-authored-by: Michal Wieja <142460464+mwieja@users.noreply.github.com> Co-authored-by: Ben Goldberg <bengoldberg@rainbow.me> Co-authored-by: WC <677680+welps@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fixes APP-810
What changed (plus any additional context for devs)
added sanitation for EIP 712 signs to match the BX
Screen recordings / screenshots
What to test