Merge remote-tracking branch 'origin/master' into Version-v12.10.0-me…

…rge-master1
MetaMask · Jan 7, 2025 · bd75198 · bd75198
2 parents 8a06843 + 2e0fe07
commit bd75198
Show file tree

Hide file tree

Showing 16 changed files with 511 additions and 34 deletions.
diff --git a/.yarn/patches/@metamask-assets-controllers-patch-d6ed5f8213.patch b/.yarn/patches/@metamask-assets-controllers-patch-d6ed5f8213.patch
@@ -0,0 +1,61 @@
+diff --git a/dist/multicall.cjs b/dist/multicall.cjs
+index bf9aa5e86573fc1651f421cc0b64f5af121c3ab2..43a0531ed86cd3ee1774dcda3f990dd40f7f52de 100644
+--- a/dist/multicall.cjs
++++ b/dist/multicall.cjs
+@@ -342,9 +342,22 @@ const multicallOrFallback = async (calls, chainId, provider, maxCallsPerMultical
+         return [];
+     }
+     const multicallAddress = MULTICALL_CONTRACT_BY_CHAINID[chainId];
+-    return await (multicallAddress
+-        ? multicall(calls, multicallAddress, provider, maxCallsPerMulticall)
+-        : fallback(calls, maxCallsParallel));
++    if (multicallAddress) {
++        try {
++            return await multicall(calls, multicallAddress, provider, maxCallsPerMulticall);
++        }
++        catch (error) {
++            // Fallback only on revert
++            // https://docs.ethers.org/v5/troubleshooting/errors/#help-CALL_EXCEPTION
++            if (!error ||
++                typeof error !== 'object' ||
++                !('code' in error) ||
++                error.code !== 'CALL_EXCEPTION') {
++                throw error;
++            }
++        }
++    }
++    return await fallback(calls, maxCallsParallel);
+ };
+ exports.multicallOrFallback = multicallOrFallback;
+ //# sourceMappingURL=multicall.cjs.map
+\ No newline at end of file
+diff --git a/dist/multicall.mjs b/dist/multicall.mjs
+index 8fbe0112303d5df1d868e0357a9d31e43a3b6cf9..860dfdbddd813659cb2be5f7faed5d4016db5966 100644
+--- a/dist/multicall.mjs
++++ b/dist/multicall.mjs
+@@ -339,8 +339,21 @@ export const multicallOrFallback = async (calls, chainId, provider, maxCallsPerM
+         return [];
+     }
+     const multicallAddress = MULTICALL_CONTRACT_BY_CHAINID[chainId];
+-    return await (multicallAddress
+-        ? multicall(calls, multicallAddress, provider, maxCallsPerMulticall)
+-        : fallback(calls, maxCallsParallel));
++    if (multicallAddress) {
++        try {
++            return await multicall(calls, multicallAddress, provider, maxCallsPerMulticall);
++        }
++        catch (error) {
++            // Fallback only on revert
++            // https://docs.ethers.org/v5/troubleshooting/errors/#help-CALL_EXCEPTION
++            if (!error ||
++                typeof error !== 'object' ||
++                !('code' in error) ||
++                error.code !== 'CALL_EXCEPTION') {
++                throw error;
++            }
++        }
++    }
++    return await fallback(calls, maxCallsParallel);
+ };
+ //# sourceMappingURL=multicall.mjs.map
+\ No newline at end of file
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -128,6 +128,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - refactor: remove global network from transaction controller ([#28449](https://github.com/MetaMask/metamask-extension/pull/28449))
 - test: [POM]  fix change language flaky tests and migrate tests to Page Object Model ([#28777](https://github.com/MetaMask/metamask-extension/pull/28777))
 - fix: Correct preferences controller usage for `isOnPhishingList` hook ([#28803](https://github.com/MetaMask/metamask-extension/pull/28803))
+## [12.9.3]
+### Fixed
+- Fix some cases where users were incorrectly seeing 0 token balances ([#29361](https://github.com/MetaMask/metamask-extension/pull/29361))
+- Ensure users that opt out of smart transaction decoding don't send network requests to related APIs ([#29341](https://github.com/
+MetaMask/metamask-extension/pull/29341))
 
 ## [12.9.2]
 ### Changed
@@ -5612,6 +5617,8 @@ Update styles and spacing on the critical error page  ([#20350](https://github.c
 
 [Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v12.10.0...HEAD
 [12.10.0]: https://github.com/MetaMask/metamask-extension/compare/v12.9.2...v12.10.0
+[Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v12.9.3...HEAD
+[12.9.3]: https://github.com/MetaMask/metamask-extension/compare/v12.9.2...v12.9.3
 [12.9.2]: https://github.com/MetaMask/metamask-extension/compare/v12.9.1...v12.9.2
 [12.9.1]: https://github.com/MetaMask/metamask-extension/compare/v12.9.0...v12.9.1
 [12.9.0]: https://github.com/MetaMask/metamask-extension/compare/v12.8.1...v12.9.0

diff --git a/app/scripts/lib/createMainFrameOriginMiddleware.ts b/app/scripts/lib/createMainFrameOriginMiddleware.ts
@@ -0,0 +1,24 @@
+// Request and responses are currently untyped.
+/* eslint-disable @typescript-eslint/no-explicit-any */
+
+/**
+ * Returns a middleware that appends the mainFrameOrigin to request
+ *
+ * @param {{ mainFrameOrigin: string }} opts - The middleware options
+ * @returns {Function}
+ */
+
+export default function createMainFrameOriginMiddleware({
+  mainFrameOrigin,
+}: {
+  mainFrameOrigin: string;
+}) {
+  return function mainFrameOriginMiddleware(
+    req: any,
+    _res: any,
+    next: () => void,
+  ) {
+    req.mainFrameOrigin = mainFrameOrigin;
+    next();
+  };
+}
diff --git a/app/scripts/lib/ppom/ppom-util.test.ts b/app/scripts/lib/ppom/ppom-util.test.ts
@@ -10,7 +10,7 @@ import {
   SignatureController,
   SignatureRequest,
 } from '@metamask/signature-controller';
-import { Hex } from '@metamask/utils';
+import { Hex, JsonRpcRequest } from '@metamask/utils';
 import {
   BlockaidReason,
   BlockaidResultType,
@@ -22,6 +22,8 @@ import { AppStateController } from '../../controllers/app-state-controller';
 import {
   generateSecurityAlertId,
   isChainSupported,
+  METHOD_SIGN_TYPED_DATA_V3,
+  METHOD_SIGN_TYPED_DATA_V4,
   updateSecurityAlertResponse,
   validateRequestWithPPOM,
 } from './ppom-util';
@@ -57,6 +59,10 @@ const TRANSACTION_PARAMS_MOCK_1: TransactionParams = {
   value: '0x123',
 };
 
+const SIGN_TYPED_DATA_PARAMS_MOCK_1 = '0x123';
+const SIGN_TYPED_DATA_PARAMS_MOCK_2 =
+  '{"primaryType":"Permit","domain":{},"types":{}}';
+
 const TRANSACTION_PARAMS_MOCK_2: TransactionParams = {
   ...TRANSACTION_PARAMS_MOCK_1,
   to: '0x456',
@@ -261,6 +267,48 @@ describe('PPOM Utils', () => {
       );
     });
 
+    // @ts-expect-error This is missing from the Mocha type definitions
+    it.each([METHOD_SIGN_TYPED_DATA_V3, METHOD_SIGN_TYPED_DATA_V4])(
+      'sanitizes request params if method is %s',
+      async (method: string) => {
+        const ppom = createPPOMMock();
+        const ppomController = createPPOMControllerMock();
+
+        ppomController.usePPOM.mockImplementation(
+          (callback) =>
+            // eslint-disable-next-line @typescript-eslint/no-explicit-any
+            callback(ppom as any) as any,
+        );
+
+        const firstTwoParams = [
+          SIGN_TYPED_DATA_PARAMS_MOCK_1,
+          SIGN_TYPED_DATA_PARAMS_MOCK_2,
+        ];
+
+        const unwantedParams = [{}, undefined, 1, null];
+
+        const params = [...firstTwoParams, ...unwantedParams];
+
+        const request = {
+          ...REQUEST_MOCK,
+          method,
+          params,
+        } as unknown as JsonRpcRequest;
+
+        await validateRequestWithPPOM({
+          ...validateRequestWithPPOMOptionsBase,
+          ppomController,
+          request,
+        });
+
+        expect(ppom.validateJsonRpc).toHaveBeenCalledTimes(1);
+        expect(ppom.validateJsonRpc).toHaveBeenCalledWith({
+          ...request,
+          params: firstTwoParams,
+        });
+      },
+    );
+
     it('updates response indicating chain is not supported', async () => {
       const ppomController = {} as PPOMController;
       const CHAIN_ID_UNSUPPORTED_MOCK = '0x2';

diff --git a/app/scripts/lib/ppom/ppom-util.ts b/app/scripts/lib/ppom/ppom-util.ts
@@ -29,6 +29,8 @@ import {
 const { sentry } = global;
 
 const METHOD_SEND_TRANSACTION = 'eth_sendTransaction';
+export const METHOD_SIGN_TYPED_DATA_V3 = 'eth_signTypedData_v3';
+export const METHOD_SIGN_TYPED_DATA_V4 = 'eth_signTypedData_v4';
 
 const SECURITY_ALERT_RESPONSE_ERROR = {
   result_type: BlockaidResultType.Errored,
@@ -171,7 +173,7 @@ function normalizePPOMRequest(
       request,
     )
   ) {
-    return request;
+    return sanitizeRequest(request);
   }
 
   const transactionParams = request.params[0];
@@ -183,6 +185,22 @@ function normalizePPOMRequest(
   };
 }
 
+function sanitizeRequest(request: JsonRpcRequest): JsonRpcRequest {
+  // This is a temporary fix to prevent a PPOM bypass
+  if (
+    request.method === METHOD_SIGN_TYPED_DATA_V4 ||
+    request.method === METHOD_SIGN_TYPED_DATA_V3
+  ) {
+    if (Array.isArray(request.params)) {
+      return {
+        ...request,
+        params: request.params.slice(0, 2),
+      };
+    }
+  }
+  return request;
+}
+
 function getErrorMessage(error: unknown) {
   if (error instanceof Error) {
     return `${error.name}: ${error.message}`;

diff --git a/app/scripts/metamask-controller.js b/app/scripts/metamask-controller.js
@@ -301,6 +301,7 @@ import {
   createUnsupportedMethodMiddleware,
 } from './lib/rpc-method-middleware';
 import createOriginMiddleware from './lib/createOriginMiddleware';
+import createMainFrameOriginMiddleware from './lib/createMainFrameOriginMiddleware';
 import createTabIdMiddleware from './lib/createTabIdMiddleware';
 import { NetworkOrderController } from './controllers/network-order';
 import { AccountOrderController } from './controllers/account-order';
@@ -5804,11 +5805,18 @@ export default class MetamaskController extends EventEmitter {
       tabId = sender.tab.id;
     }
 
+    let mainFrameOrigin = origin;
+    if (sender.tab && sender.tab.url) {
+      // If sender origin is an iframe, then get the top-level frame's origin
+      mainFrameOrigin = new URL(sender.tab.url).origin;
+    }
+
     const engine = this.setupProviderEngineEip1193({
       origin,
       sender,
       subjectType,
       tabId,
+      mainFrameOrigin,
     });
 
     const dupeReqFilterStream = createDupeReqFilterStream();
@@ -5929,13 +5937,25 @@ export default class MetamaskController extends EventEmitter {
    * @param {MessageSender | SnapSender} options.sender - The sender object.
    * @param {string} options.subjectType - The type of the sender subject.
    * @param {tabId} [options.tabId] - The tab ID of the sender - if the sender is within a tab
+   * @param {mainFrameOrigin} [options.mainFrameOrigin] - The origin of the main frame if the sender is an iframe
    */
-  setupProviderEngineEip1193({ origin, subjectType, sender, tabId }) {
+  setupProviderEngineEip1193({
+    origin,
+    subjectType,
+    sender,
+    tabId,
+    mainFrameOrigin,
+  }) {
     const engine = new JsonRpcEngine();
 
     // Append origin to each request
     engine.push(createOriginMiddleware({ origin }));
 
+    // Append mainFrameOrigin to each request if present
+    if (mainFrameOrigin) {
+      engine.push(createMainFrameOriginMiddleware({ mainFrameOrigin }));
+    }
+
     // Append selectedNetworkClientId to each request
     engine.push(createSelectedNetworkMiddleware(this.controllerMessenger));