fix: strengthen explore portfolio site condition

[Prithpal-Sooriya]

Description

Replaced URL substring check with hostname comparison for portfolio site identification to fix a security vulnerability.

This should be pretty safe since we own the underlying data, but still good practice to use stricter url condition.

Changelog

CHANGELOG entry: fix: strengthen explore portfolio site condition

Related issues

Fixes: https://github.com/MetaMask/metamask-mobile/security/code-scanning/134

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

 

---

Note

Low Risk
Low risk: small, localized change to Portfolio site detection logic; the main risk is accidentally missing/duplicating the Portfolio entry if URL parsing/normalization behaves unexpectedly for edge-case inputs.

Overview
Strengthens how the Explore sites list detects whether MetaMask Portfolio is already present by replacing a url.includes('portfolio.metamask.io') substring check with strict hostname parsing/comparison.

Adds PORTFOLIO_HOSTNAME and a new isPortfolioSiteUrl() normalizer (handles missing schemes/whitespace) and uses it in mergePortfolioSite to avoid false matches that could let non-Portfolio URLs bypass or trigger the Portfolio entry logic.

^{Written by Cursor Bugbot for commit 3214479. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Agent can help with this pull request. Just @cursor in comments and I'll start working on changes in this branch.
_{Learn more about Cursor Agents}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeWalletPlatform
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 82%

click to see 🤖 AI reasoning details

E2E Test Selection:
Changed hook useSitesData adjusts how the Sites list for the Trending/Discovery tab is built (introduces PORTFOLIO_HOSTNAME, normalizes URL matching via isPortfolioSiteUrl, and ensures Portfolio is included without duplicates). This directly impacts the Trending Sites section and potential browser navigation from that list. No controllers, Engine, confirmations, or core flows were modified, so broader test suites are unnecessary. Running SmokeWalletPlatform covers the Trending tab browsing and browser navigation integration, which will validate this change.

Performance Test Selection:
The change is a small URL handling and list-merge logic update with negligible computational impact. It does not affect app startup, global state, token lists, or heavy rendering paths. No performance tests are warranted.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
92.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud