Skip to content

Commit

Permalink
Add hostname and extensionId to site metadata
Browse files Browse the repository at this point in the history
If the extension ID is set, an alternate title and subtitle are used
for the Connect Request screen. The title is always `External
Extension`, and the subtitle is `Extension ID: [id]` instead of the
origin (which would just be `[extension-scheme]://[id]` anyway).

The hostname for the site is used as a fallback in case it has no
title.

The artificial hostname set for internal connections has been renamed
from 'MetaMask' to 'metamask' because URL objects automatically
normalize hostnames to be all lower-case, and it was more convenient to
use a URL object so that the parameter would be the same type as used
for an untrusted connection.
  • Loading branch information
Gudahtt committed Oct 17, 2019
1 parent 3d1f214 commit 4aa297d
Show file tree
Hide file tree
Showing 9 changed files with 201 additions and 90 deletions.
11 changes: 7 additions & 4 deletions app/scripts/background.js
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,6 @@ require('./lib/setupFetchDebugging')()
// polyfills
import 'abortcontroller-polyfill/dist/polyfill-patch-fetch'

const urlUtil = require('url')
const endOfStream = require('end-of-stream')
const pump = require('pump')
const debounce = require('debounce-stream')
Expand Down Expand Up @@ -352,7 +351,10 @@ function setupController (initState, initLangCode) {
const portStream = new PortStream(remotePort)
// communication with popup
controller.isClientOpen = true
controller.setupTrustedCommunication(portStream, 'MetaMask')
// construct fake URL for identifying internal messages
const metamaskUrl = new URL(window.location)
metamaskUrl.hostname = 'metamask'
controller.setupTrustedCommunication(portStream, metamaskUrl)

if (processName === ENVIRONMENT_TYPE_POPUP) {
popupIsOpen = true
Expand Down Expand Up @@ -388,9 +390,10 @@ function setupController (initState, initLangCode) {

// communication with page or other extension
function connectExternal (remotePort) {
const originDomain = urlUtil.parse(remotePort.sender.url).hostname
const senderUrl = new URL(remotePort.sender.url)
const extensionId = remotePort.sender.id
const portStream = new PortStream(remotePort)
controller.setupUntrustedCommunication(portStream, originDomain)
controller.setupUntrustedCommunication(portStream, senderUrl, extensionId)
}

//
Expand Down
30 changes: 22 additions & 8 deletions app/scripts/controllers/provider-approval.js
Original file line number Diff line number Diff line change
Expand Up @@ -31,19 +31,25 @@ class ProviderApprovalController extends SafeEventEmitter {
*
* @param {object} opts - opts for the middleware contains the origin for the middleware
*/
createMiddleware ({ origin, getSiteMetadata }) {
createMiddleware ({ senderUrl, extensionId, getSiteMetadata }) {
return createAsyncMiddleware(async (req, res, next) => {
// only handle requestAccounts
if (req.method !== 'eth_requestAccounts') return next()
// if already approved or privacy mode disabled, return early
const isUnlocked = this.keyringController.memStore.getState().isUnlocked
const origin = senderUrl.hostname
if (this.shouldExposeAccounts(origin) && isUnlocked) {
res.result = [this.preferencesController.getSelectedAddress()]
return
}
// register the provider request
const metadata = await getSiteMetadata(origin)
this._handleProviderRequest(origin, metadata.name, metadata.icon)
const metadata = { hostname: senderUrl.hostname, origin }
if (extensionId) {
metadata.extensionId = extensionId
} else {
Object.assign(metadata, await getSiteMetadata(origin))
}
this._handleProviderRequest(metadata)
// wait for resolution of request
const approved = await new Promise(resolve => this.once(`resolvedRequest:${origin}`, ({ approved }) => resolve(approved)))
if (approved) {
Expand All @@ -54,19 +60,26 @@ class ProviderApprovalController extends SafeEventEmitter {
})
}

/**
* @typedef {Object} SiteMetadata
* @param {string} hostname - The hostname of the site
* @param {string} origin - The origin of the site
* @param {string} [siteTitle] - The title of the site
* @param {string} [siteImage] - The icon for the site
* @param {string} [extensionId] - The extension ID of the extension
*/
/**
* Called when a tab requests access to a full Ethereum provider API
*
* @param {string} origin - Origin of the window requesting full provider access
* @param {string} siteTitle - The title of the document requesting full provider access
* @param {string} siteImage - The icon of the window requesting full provider access
* @param {SiteMetadata} siteMetadata - The metadata for the site requesting full provider access
*/
_handleProviderRequest (origin, siteTitle, siteImage) {
_handleProviderRequest (siteMetadata) {
const { providerRequests } = this.memStore.getState()
const origin = siteMetadata.origin
this.memStore.updateState({
providerRequests: [
...providerRequests,
{ origin, siteTitle, siteImage },
siteMetadata,
],
})
const isUnlocked = this.keyringController.memStore.getState().isUnlocked
Expand Down Expand Up @@ -98,6 +111,7 @@ class ProviderApprovalController extends SafeEventEmitter {
[origin]: {
siteTitle: providerRequest ? providerRequest.siteTitle : null,
siteImage: providerRequest ? providerRequest.siteImage : null,
hostname: providerRequest ? providerRequest.hostname : null,
},
},
})
Expand Down
48 changes: 28 additions & 20 deletions app/scripts/metamask-controller.js
Original file line number Diff line number Diff line change
Expand Up @@ -336,7 +336,7 @@ module.exports = class MetamaskController extends EventEmitter {
// Expose no accounts if this origin has not been approved, preventing
// account-requring RPC methods from completing successfully
const exposeAccounts = this.providerApprovalController.shouldExposeAccounts(origin)
if (origin !== 'MetaMask' && !exposeAccounts) { return [] }
if (origin !== 'metamask' && !exposeAccounts) { return [] }
const isUnlocked = this.keyringController.memStore.getState().isUnlocked
const selectedAddress = this.preferencesController.getSelectedAddress()
// only show address if account is unlocked
Expand Down Expand Up @@ -1332,23 +1332,25 @@ module.exports = class MetamaskController extends EventEmitter {
* Used to create a multiplexed stream for connecting to an untrusted context
* like a Dapp or other extension.
* @param {*} connectionStream - The Duplex stream to connect to.
* @param {string} originDomain - The domain requesting the stream, which
* may trigger a blacklist reload.
* @param {URL} senderUrl - The URL of the resource requesting the stream,
* which may trigger a blacklist reload.
* @param {string} extensionId - The extension id of the sender, if the sender
* is an extension
*/
setupUntrustedCommunication (connectionStream, originDomain) {
setupUntrustedCommunication (connectionStream, senderUrl, extensionId) {
// Check if new connection is blacklisted
if (this.phishingController.test(originDomain)) {
log.debug('MetaMask - sending phishing warning for', originDomain)
this.sendPhishingWarning(connectionStream, originDomain)
if (this.phishingController.test(senderUrl.hostname)) {
log.debug('MetaMask - sending phishing warning for', senderUrl.hostname)
this.sendPhishingWarning(connectionStream, senderUrl.hostname)
return
}

// setup multiplexing
const mux = setupMultiplex(connectionStream)
// connect features
const publicApi = this.setupPublicApi(mux.createStream('publicApi'), originDomain)
this.setupProviderConnection(mux.createStream('provider'), originDomain, publicApi)
this.setupPublicConfig(mux.createStream('publicConfig'), originDomain)
const publicApi = this.setupPublicApi(mux.createStream('publicApi'))
this.setupProviderConnection(mux.createStream('provider'), senderUrl, extensionId, publicApi)
this.setupPublicConfig(mux.createStream('publicConfig'), senderUrl)
}

/**
Expand All @@ -1358,15 +1360,15 @@ module.exports = class MetamaskController extends EventEmitter {
* functions, like the ability to approve transactions or sign messages.
*
* @param {*} connectionStream - The duplex stream to connect to.
* @param {string} originDomain - The domain requesting the connection,
* @param {URL} senderUrl - The URL requesting the connection,
* used in logging and error reporting.
*/
setupTrustedCommunication (connectionStream, originDomain) {
setupTrustedCommunication (connectionStream, senderUrl) {
// setup multiplexing
const mux = setupMultiplex(connectionStream)
// connect features
this.setupControllerConnection(mux.createStream('controller'))
this.setupProviderConnection(mux.createStream('provider'), originDomain)
this.setupProviderConnection(mux.createStream('provider'), senderUrl)
}

/**
Expand Down Expand Up @@ -1419,11 +1421,14 @@ module.exports = class MetamaskController extends EventEmitter {
/**
* A method for serving our ethereum provider over a given stream.
* @param {*} outStream - The stream to provide over.
* @param {string} origin - The URI of the requesting resource.
* @param {URL} senderUrl - The URI of the requesting resource.
* @param {string} extensionId - The id of the extension, if the requesting
* resource is an extension.
* @param {object} publicApi - The public API
*/
setupProviderConnection (outStream, origin, publicApi) {
setupProviderConnection (outStream, senderUrl, extensionId, publicApi) {
const getSiteMetadata = publicApi && publicApi.getSiteMetadata
const engine = this.setupProviderEngine(origin, getSiteMetadata)
const engine = this.setupProviderEngine(senderUrl, extensionId, getSiteMetadata)

// setup connection
const providerStream = createEngineStream({ engine })
Expand All @@ -1447,7 +1452,8 @@ module.exports = class MetamaskController extends EventEmitter {
/**
* A method for creating a provider that is safely restricted for the requesting domain.
**/
setupProviderEngine (origin, getSiteMetadata) {
setupProviderEngine (senderUrl, extensionId, getSiteMetadata) {
const origin = senderUrl.hostname
// setup json rpc engine stack
const engine = new RpcEngine()
const provider = this.provider
Expand All @@ -1470,7 +1476,8 @@ module.exports = class MetamaskController extends EventEmitter {
engine.push(this.preferencesController.requestWatchAsset.bind(this.preferencesController))
// requestAccounts
engine.push(this.providerApprovalController.createMiddleware({
origin,
senderUrl,
extensionId,
getSiteMetadata,
}))
// forward to metamask primary provider
Expand All @@ -1487,11 +1494,12 @@ module.exports = class MetamaskController extends EventEmitter {
* this is a good candidate for deprecation.
*
* @param {*} outStream - The stream to provide public config over.
* @param {URL} senderUrl - The URL of requesting resource
*/
setupPublicConfig (outStream, originDomain) {
setupPublicConfig (outStream, senderUrl) {
const configStore = this.createPublicConfigStore({
// check the providerApprovalController's approvedOrigins
checkIsEnabled: () => this.providerApprovalController.shouldExposeAccounts(originDomain),
checkIsEnabled: () => this.providerApprovalController.shouldExposeAccounts(senderUrl.hostname),
})
const configStream = asStream(configStore)

Expand Down
4 changes: 2 additions & 2 deletions test/unit/app/controllers/metamask-controller-test.js
Original file line number Diff line number Diff line change
Expand Up @@ -751,7 +751,7 @@ describe('MetaMaskController', function () {
describe('#setupUntrustedCommunication', function () {
let streamTest

const phishingUrl = 'myethereumwalletntw.com'
const phishingUrl = new URL('http://myethereumwalletntw.com')

afterEach(function () {
streamTest.end()
Expand All @@ -764,7 +764,7 @@ describe('MetaMaskController', function () {

streamTest = createThoughStream((chunk, _, cb) => {
if (chunk.name !== 'phishing') return cb()
assert.equal(chunk.data.hostname, phishingUrl)
assert.equal(chunk.data.hostname, phishingUrl.hostname)
resolve()
cb()
})
Expand Down
Loading

0 comments on commit 4aa297d

Please sign in to comment.