Merge remote-tracking branch 'origin/main' into sync-v14-main

Gudahtt · Gudahtt · commit 568232d7db8c · 2024-10-02T10:53:23.000-02:30
* origin/main: fix: change types signatures verifyingContract validation to allow 'cosmos' as address (#334) Update `main` with changes from v14.0.1 (#332) Request validation should not throw if verifyingContract is not defined in typed signature (#328) Add changelog entries for `#318` (#327) remove eth_sign (#320)
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -26,6 +26,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Bump `@metamask/rpc-errors` from `^6.0.0` to `^6.3.1` ([#323](https://github.com/MetaMask/eth-json-rpc-middleware/pull/323))
 - Bump `@metamask/utils` from `^8.1.0` to `^9.1.0` ([#323](https://github.com/MetaMask/eth-json-rpc-middleware/pull/323))
 
+### Security
+- **BREAKING:** Typed signature validation only replaces `0X` prefix with `0x`, and contract address normalization is removed for decimal and octal values ([#318](https://github.com/MetaMask/eth-json-rpc-middleware/pull/318))
+  - Threat actors have been manipulating `eth_signTypedData_v4` fields to cause failures in blockaid's detectors.
+  - Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address.
+  - This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x".
+
 ## [13.0.0]
 ### Changed
 - **BREAKING**: Drop support for Node.js v16; add support for Node.js v20, v22 ([#312](https://github.com/MetaMask/eth-json-rpc-middleware/pull/312))
diff --git a/src/wallet.ts b/src/wallet.ts
@@ -55,10 +55,6 @@ export interface WalletMiddlewareOptions {
     address: string,
     req: JsonRpcRequest,
   ) => Promise<string>;
-  processEthSignMessage?: (
-    msgParams: MessageParams,
-    req: JsonRpcRequest,
-  ) => Promise<string>;
   processPersonalMessage?: (
     msgParams: MessageParams,
     req: JsonRpcRequest,
@@ -92,7 +88,6 @@ export function createWalletMiddleware({
   getAccounts,
   processDecryptMessage,
   processEncryptionPublicKey,
-  processEthSignMessage,
   processPersonalMessage,
   processTransaction,
   processSignTransaction,
@@ -113,7 +108,6 @@ WalletMiddlewareOptions): JsonRpcMiddleware<any, Block> {
     eth_sendTransaction: createAsyncMiddleware(sendTransaction),
     eth_signTransaction: createAsyncMiddleware(signTransaction),
     // message signatures
-    eth_sign: createAsyncMiddleware(ethSign),
     eth_signTypedData: createAsyncMiddleware(signTypedData),
     eth_signTypedData_v3: createAsyncMiddleware(signTypedDataV3),
     eth_signTypedData_v4: createAsyncMiddleware(signTypedDataV4),
@@ -195,36 +189,6 @@ WalletMiddlewareOptions): JsonRpcMiddleware<any, Block> {
   //
   // message signatures
   //
-
-  async function ethSign(
-    req: JsonRpcRequest,
-    res: PendingJsonRpcResponse<Json>,
-  ): Promise<void> {
-    if (!processEthSignMessage) {
-      throw rpcErrors.methodNotSupported();
-    }
-    if (
-      !req?.params ||
-      !Array.isArray(req.params) ||
-      !(req.params.length >= 2)
-    ) {
-      throw rpcErrors.invalidInput();
-    }
-
-    const params = req.params as [string, string, Record<string, string>?];
-    const address: string = await validateAndNormalizeKeyholder(params[0], req);
-    const message = params[1];
-    const extraParams = params[2] || {};
-    const msgParams: MessageParams = {
-      ...extraParams,
-      from: address,
-      data: message,
-      signatureMethod: 'eth_sign',
-    };
-
-    res.result = await processEthSignMessage(msgParams, req);
-  }
-
   async function signTypedData(
     req: JsonRpcRequest,
     res: PendingJsonRpcResponse<Json>,
