Skip to content
This repository has been archived by the owner on Oct 7, 2024. It is now read-only.

docs: add guideline to sanitize errors #160

Merged
merged 1 commit into from
Oct 18, 2023
Merged

docs: add guideline to sanitize errors #160

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 27 additions & 0 deletions docs/security.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,33 @@ can lead to multiple security vulnerabilities. For example, secret information
may be logged to the console, or a security check may be bypassed by a
malicious dapp.

### Sanitize errors to remove sensitive information

Ensure that all errors returned by your Snap are sanitized. This mistake can
lead to secrets being exposed to dapps or MetaMask through error messages.

**:x: DO NOT DO THIS:**

```ts
// !!! DO NOT DO THIS !!!
//
// If `inputSecretValue` contains invalid hexadecimal characters, its value
// will be added to the error thrown by `toBuffer`.
const privateKey = toBuffer(inputSecretValue);
// Use `privateKey` here ...
```

**:white_check_mark: DO THIS INSTEAD:**

```ts
try {
const privateKey = toBuffer(inputSecretValue);
// Use `privateKey` here ...
} catch (error) {
throw new Error('Invalid private key');
}
```

### Don't expose Keyring methods through the `onRpcRequest` export

The `onRpcRequest` export is intended to be a general-purpose export and thus
Expand Down