metamask-extension icon indicating copy to clipboard operation
metamask-extension copied to clipboard
verified publisher icon MetaMask

[Feat]: In case Blockaid PPOM returns an unexpected result as the Features value, stringify or exclude, and send error

Open digiwand opened this issue 2 years ago • 2 comments

Describe the bug

In the PPOM JSON result, an array of features may be provided. We display this as a list under "See Details". Blockaid has mentioned that we should only expect string values in the features array.

For security purposes, we would like to handle the case when an element is not a string. If the value is not a string, then we should send an error and possibly stringify or exclude the value. Else, as @seaona mentioned in https://github.com/MetaMask/metamask-extension/issues/20691, a hexadecimal address would be converted to a number.

If ppom passes an address without stringify it, MetaMask transforms it into a number

Expected behavior

No response

Screenshots/Recordings

No response

Steps to reproduce

Steps to reproduce

  1. Go to extension codebase file ppom-midleware.ts
  2. Change line 48 with the following code:
  3. Build flask
  4. Go to test dapp and trigger any tx
  5. See all the UI issues mentioned above, by manipulating the res variable

(After removing the object one you'll be able to see the rest of the issues, as this one breaks MM)

        req.securityAlertResponse = await ppomController.usePPOM(
          async (ppom: PPOM) => {
            const res =
            {
              "result_type": "Warning",
              "reason": "",
              "description": "",
              "features": [
                 0x07Be9763a718C0539017E2Ab6fC42853b4aEeb6B,
                "The address 0x07Be9763a718C0539017E2Ab6fC42853b4aEeb6B is malicious",
                "blablabla",
                "blablabla",
                {"slkjd": "sjdfsa", "ksdf": "skhdjfska"}
              ]
          }

            return res;
          },
        );

Error messages or log output

No response

Version

11.5

Build type

None

Browser

Chrome

Operating system

MacOS

Hardware wallet

No response

Additional context

No response

Severity

No response

digiwand avatar Nov 29 '23 01:11 digiwand

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.

github-actions[bot] avatar May 08 '24 00:05 github-actions[bot]

This issue has been automatically marked as stale because it has not had recent activity in the last 90 days. It will be closed in 45 days if there is no further activity. The MetaMask team intends on reviewing this issue before close, and removing the stale label if it is still a bug. We welcome new comments on this issue. We do not intend on closing issues if they report bugs that are still reproducible. Thank you for your contributions.

github-actions[bot] avatar Aug 27 '24 02:08 github-actions[bot]