fix(SDKConnectV2): harden INTERNAL_ORIGINS check and restrict dapp.url to http(s)#26833
Merged
adonesky1 merged 4 commits intoMar 2, 2026
Merged
Conversation
Contributor
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
…heck
The new `new URL()` validation in `isConnectionRequest` ensures
`dapp.url` is always a parseable URL. This made the direct-string
`INTERNAL_ORIGINS.includes(dapp.url)` check dead code because
production INTERNAL_ORIGINS contains non-URL values ('metamask',
'MetaMask Mobile'). The test masked this by injecting
'https://internal.metamask.io' into the mock.
- Extract URL hostname and compare case-insensitively against
INTERNAL_ORIGINS (e.g. `https://metamask/` → hostname `metamask`)
- Restrict `dapp.url` to http/https schemes as defense-in-depth
- Remove fake 'https://internal.metamask.io' from test mock
- Add scheme-validation tests for isConnectionRequest
Made-with: Cursor
0a8262e to
346e230
Compare
…-in-depth Revert hostname extraction logic in favor of the original plain-string INTERNAL_ORIGINS comparison. The URL validation in isConnectionRequest() is the primary security boundary; this check is a documented safety net. Both sites now carry security comments linking them together. Made-with: Cursor
adonesky1
commented
Mar 2, 2026
Comment on lines
-18
to
-20
| jest.mock('../../../constants/transaction', () => ({ | ||
| INTERNAL_ORIGINS: ['metamask', 'MetaMask Mobile', 'https://internal.metamask.io'], | ||
| })); |
Contributor
Author
There was a problem hiding this comment.
We should use the actual internal origin values for the test
Mock isConnectionRequest to bypass upstream URL validation, exercising the INTERNAL_ORIGINS check for dapp.url that is otherwise unreachable. Made-with: Cursor
The try/catch rejects plain strings; the protocol check blocks custom schemes. The previous comment conflated both layers. Made-with: Cursor
jiexi
reviewed
Mar 2, 2026
Comment on lines
+671
to
+675
| const connReqModule = require('../types/connection-request'); | ||
| const spy = jest | ||
| .spyOn(connReqModule, 'isConnectionRequest') | ||
| .mockReturnValueOnce(true); | ||
|
|
Member
There was a problem hiding this comment.
does a jest.mock() work here out of curiosity?
Contributor
Author
There was a problem hiding this comment.
I think jest.mock can only be applied at the top level of the test and therefore get applied to all tests?
Member
There was a problem hiding this comment.
yeah that sound vaguely right. I know it gets hoisted. ehh okay this is fine
Contributor
🔍 Smart E2E Test Selection⏭️ Smart E2E selection skipped - base branch is not main (base: jl/make-mmc-parsing-more-robust) All E2E tests pre-selected. |
jiexi
approved these changes
Mar 2, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
The
new URL(metadata.dapp.url)validation added in the parent branch ensuresdapp.urlis always a parseable URL. However, the productionINTERNAL_ORIGINSarray contains plain strings ('metamask','MetaMask Mobile',process.env.MM_FOX_CODE), so the existingINTERNAL_ORIGINS.includes(dapp.url)check became dead code — no validated URL can equal those strings. The test masked this by mockingINTERNAL_ORIGINSwith'https://internal.metamask.io', a value absent from the production array.This PR:
dapp.urltohttp:/https:schemes inisConnectionRequest()— this is the primary security boundary. It prevents a malicious dApp from sendingmetamask://...or other non-web schemes as its URL, which could match internal origin strings.INTERNAL_ORIGINS.includes()check as documented defense-in-depth — currently redundant but will activate if the upstream URL validation is ever relaxed.INTERNAL_ORIGINSmock from the test file so tests exercise the real production values instead of a synthetic URL that hid the dead code.Changelog
CHANGELOG entry: null
Related issues
Refs: parent branch
jl/make-mmc-parsing-more-robustManual testing steps
Screenshots/Recordings
N/A — no UI changes.
Before
N/A
After
N/A
Pre-merge author checklist
Pre-merge reviewer checklist
Note
Medium Risk
Tightens SDKConnectV2 connection-request validation and could reject previously accepted dApps that supplied non-HTTP(S)
dapp.urlvalues; it also touches internal-origin security checks on the deeplink connection path.Overview
Hardens SDKConnectV2 connection request validation by requiring
metadata.dapp.urlto be a parseable URL and to use onlyhttp:/https:schemes, rejecting custom/non-web schemes (e.g.metamask://,ftp://,file://).Clarifies and reinforces internal-origin blocking in
ConnectionRegistry.handleConnectDeeplink()as a documented defense-in-depth check, and updates tests to stop mockingINTERNAL_ORIGINSand instead explicitly bypassisConnectionRequest()to exercise the internal-origin rejection path.Written by Cursor Bugbot for commit 84a9794. This will update automatically on new commits. Configure here.