Merge keyring version #322

toandq2009 · 2025-02-19T03:59:12Z

No description provided.

…t into feat/merge-all

apps/extension/src/pages/blocklist/index.tsx

+          throw new Error("origin unmatched");
+        }
+
+        window.location.replace(origin);


To fix the problem, we need to ensure that the origin parameter is validated against a list of authorized URLs before performing the redirect. This can be achieved by maintaining a list of trusted URLs and checking if the origin parameter matches any of these URLs. If it does not match, the redirect should not be performed.

Create a list of authorized URLs.

Check if the origin parameter is in the list of authorized URLs before performing the redirect.

If the origin parameter is not in the list, do not perform the redirect and show an appropriate error message.

apps/extension/src/pages/blocklist/index.tsx

+          throw new Error("origin unmatched");
+        }
+
+        window.location.replace(origin);


To fix the problem, we need to ensure that the origin value is properly sanitized before it is used in the URL redirection. One way to achieve this is by using a library like DOMPurify to sanitize the origin value. This will help prevent any malicious scripts from being executed.

Install the DOMPurify library.

Import DOMPurify in the file.

Use DOMPurify to sanitize the origin value before using it in the URL redirection.

apps/extension/src/pages/main/components/token/index.tsx

+
+      const isNeg = res.startsWith("-");
+      return {
+        text: isNeg ? res.replace("-", "-") : "+" + res,


To fix the problem, we need to replace the substring "-" with the correct transformation. The intention seems to be to format the string res to include a "+" sign for positive values and retain the "-" sign for negative values. Therefore, we should ensure that the "+" sign is added correctly for positive values and the "-" sign is retained for negative values without unnecessary replacement.

Identify the line with the problematic replacement: res.replace("-", "-").

Replace this line with a conditional check to prepend a "+" sign for positive values and retain the "-" sign for negative values without using the replace method.

packages/common/src/oasis/hdkey.ts

packages/common/src/utils/utils.ts

+          "Content-Type": "application/json",
+        },
+        body: JSON.stringify({
+          transactions: transactions,


packages/cosmos/src/chain-id/cosmos.ts

+    const split = chainId
+      .split(ChainIdHelper.VersionFormatRegExp)


packages/stores-eth/src/account/base.ts

+    const isChecksumAddress = !!hexAddress.match(
+      /([A-F].*[a-f])|([a-f].*[A-F])/
+    );


…ing or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

…eat/merge-all

marxeille and others added 30 commits December 31, 2024 18:13

select network modal

35453b8

getAllBalancesByChainId

c50f058

calculate availableTotalPrice

c8266fc

stakedTotalPrice

0516a82

display delegations and unbondings depend on network

258ce5c

update notification open deeplink

8b8f86b

minor changes

7a84097

disable get fcm token

7c3a895

select wallet page

594b51a

setting items style

2534655

dynamic get info token from permission less

67d8041

dynamic get info token from permission less

6b94053

dynamic get info token from permission less

b295e5f

handle add new token

d5cfa0c

update endpoint staging

8f05d3c

menu bar UI

f3dab0e

update noti open deeplink

bf93dfc

fix deeplink for agent land

0542018

fix details browser go to home

1df516a

side menu

17e56db

minor UI updates

5cc396b

settings icon

ca848bc

settings page

99d8269

set default theme to light

3f868cc

update build version

702f191

getAllBalancesByChainId in select assets page

bbfc6df

change description manifest

b60b46d

button styles

bba9629

modal permission buttons

7b660b6

minor styles

cff8628

marxeille and others added 19 commits February 17, 2025 11:18

SwapParsedItem

017002c

snakeToTitle

cecd40d

show token icon

b691c76

add namespace into ProxyRequest

9da2349

sign tron

8751fce

remove log

7749946

throw error - sign tron

782a0f0

update manifest

9c75f8f

get route RequestSendRawTransactionMsg

33ef11b

show from chain and to chain - bridge

2eb41b8

bridge decode

8643cdc

update manifest

1d9e25b

check isUint8Array before decode

9fb10d6

MarqueeText

366d1cc

update scanium link

54cc0cc

merge from new branch mobile

b8b5403

Merge branch 'feat/extension-keyring' of github.com:owallet-io/owalle…

cdb500a

…t into feat/merge-all

merge code from extension keyring

f7f0d9f

delete phishing-list

2c1632c

toandq2009 requested review from marxeille and haunv3 February 19, 2025 04:03

github-advanced-security bot found potential problems Feb 19, 2025

View reviewed changes

marxeille approved these changes Feb 19, 2025

View reviewed changes

haunv3 approved these changes Feb 19, 2025

View reviewed changes

toandq2009 and others added 4 commits February 19, 2025 11:23

Potential fix for code scanning alert no. 19: Incomplete string escap…

8cb3b54

…ing or encoding Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>

update example env

99468b4

update env

13f4d2a

Merge branch 'feat/merge-all' of github.com:owallet-io/owallet into f…

e3f45f0

…eat/merge-all

toandq2009 merged commit c93c34b into main Feb 19, 2025
3 of 4 checks passed

toandq2009 deleted the feat/merge-all branch February 19, 2025 04:36

@@ -76,2 +76,8 @@
+            const authorizedUrls = [
+              "https://trusted-site1.com",
+              "https://trusted-site2.com",
+              // Add more trusted URLs here
+            ];
             export const BlocklistPage: FunctionComponent = () => {
@@ -89,5 +95,4 @@
                     // Validate url
-                    const url = new URL(origin);
-                    if (redirectUrl.origin !== url.origin) {
-                      throw new Error("origin unmatched");
+                    if (!authorizedUrls.includes(origin)) {
+                      throw new Error("Unauthorized origin");
                     }

@@ -6,2 +6,3 @@
             import { AppThemeProvider } from "../../theme";
+            import DOMPurify from "dompurify";
@@ -78,3 +79,3 @@
               const origin =
-                new URLSearchParams(window.location.search).get("origin") || "";
+                DOMPurify.sanitize(new URLSearchParams(window.location.search).get("origin") || "");

@@ -103,3 +103,4 @@
                 "web3-utils": "4.11.1",
-                "webextension-polyfill": "^0.10.0"
+                "webextension-polyfill": "^0.10.0",
+                "dompurify": "^3.2.4"
               },

Package	Version	Security advisories
dompurify (npm)	3.2.4	None

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge keyring version #322

Merge keyring version #322

toandq2009 commented Feb 19, 2025

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

Provide additional feedback

Please help us improve GitHub Copilot by sharing more details about this comment.

		const split = chainId
		.split(ChainIdHelper.VersionFormatRegExp)

Merge keyring version #322

Merge keyring version #322

Conversation

toandq2009 commented Feb 19, 2025