fix: regex in typed-data parsing cp-7.62.0

[dan437]

Description

Fix regex in typed-data parsing.

Changelog

CHANGELOG entry: null

Related issues

Fixes: https://github.com/MetaMask/MetaMask-planning/issues/6624

Manual testing steps

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I’ve followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Strengthens typed-data parsing to prevent UI spoofing from nested value fields.

• Updates REGEX_MESSAGE_VALUE_LARGE to use [^{}]* so only top-level message.value is matched, ensuring large numbers are parsed correctly from the intended field
• Adds tests covering nested/deeply nested value fields, arrays, ordering, escaped quotes, and string-valued message.value
• Extends e2e allowlist with https://api.hyperliquid.xyz/info

^{Written by Cursor Bugbot for commit ad592b0. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeConfirmationsRedesigned, SmokePerps
• Risk Level: medium
• AI Confidence: 85%

click to see 🤖 AI reasoning details

The PR contains three changes:

1. E2E API Mocking Allowlist (e2e/api-mocking/mock-e2e-allowlist.ts): Added https://api.hyperliquid.xyz/info to the allowlist. This is a minor addition to support HyperLiquid API calls in E2E tests for the Perps (perpetuals trading) feature. This warrants running SmokePerps tests.

2. Signature Utility Security Fix (app/components/Views/confirmations/utils/signature.ts): A security fix to the regex REGEX_MESSAGE_VALUE_LARGE that extracts large numeric values from message.value. The change from [^}]* to [^{}]* prevents matching nested "value" fields, which could be exploited in spoofing attacks where attackers include nested objects with large "value" fields to trick the UI into displaying different amounts than what will actually be signed. This is a critical security fix for the confirmations flow.

3. Unit Tests (app/components/Views/confirmations/utils/signature.test.ts): Added comprehensive tests for the nested value spoofing protection, covering various attack scenarios.

The signature utility is imported by 20+ files in the confirmations flow including typed sign components, personal sign, permit simulations, and blockaid banner. This warrants running SmokeConfirmationsRedesigned tests to verify the signature parsing and display functionality works correctly with the security fix.

Risk is medium because:

• The signature utility change is a targeted regex fix with good test coverage
• The change is security-focused but the fix is straightforward
• The allowlist change is additive and low-risk

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud