Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Static Frames Validation Security Fix #736

Merged
merged 30 commits into from
Dec 2, 2024
Merged
Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/frames-validator/package.json
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
"dependencies": {
"@noble/curves": "^1.3.0",
"@noble/hashes": "^1.4.0",
"@xmtp/node-sdk": "^0.0.27",
"@xmtp/node-sdk": "^0.0.28",
"@xmtp/proto": "^3.72.3",
"uint8array-extras": "^1.4.0",
"viem": "^2.16.5"
Expand Down
16 changes: 12 additions & 4 deletions packages/frames-validator/src/validation.ts
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ export async function validateFramesPost(
actionBodyBytes,
signature,
signedPublicKeyBundle,
installationId, // not necessary
installationId,
codabrink marked this conversation as resolved.
Show resolved Hide resolved
installationSignature,
inboxId,
} = deserializeProtoMessage(messageBytes);
Expand All @@ -48,9 +48,17 @@ export async function validateFramesPost(
}
} else {
// make sure inbox IDs match
const addressInboxId = await getInboxIdForAddress(walletAddress, env);
if (inboxId !== addressInboxId) {
throw new Error("Invalid inbox ID");
const authorized = await Client.isInstallationAuthorized(
codabrink marked this conversation as resolved.
Show resolved Hide resolved
inboxId,
installationId,
);
if (!authorized) {
throw new Error("Installation not a member of association state");
}
codabrink marked this conversation as resolved.
Show resolved Hide resolved

const isMember = await Client.isAddressAuthorized(inboxId, walletAddress);
if (!isMember) {
throw new Error("Unable to associate wallet address with inbox");
}

const digest = sha256(actionBodyBytes);
Expand Down
4 changes: 2 additions & 2 deletions sdks/node-sdk/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@xmtp/node-sdk",
"version": "0.0.27",
"version": "0.0.28",
"description": "XMTP Node client SDK for interacting with XMTP networks",
"keywords": [
"xmtp",
Expand Down Expand Up @@ -53,7 +53,7 @@
"@xmtp/content-type-group-updated": "^1.0.1",
"@xmtp/content-type-primitives": "^1.0.3",
"@xmtp/content-type-text": "^1.0.1",
"@xmtp/node-bindings": "^0.0.22",
codabrink marked this conversation as resolved.
Show resolved Hide resolved
"@xmtp/node-bindings": "^0.0.24",
"@xmtp/proto": "^3.72.3"
},
"devDependencies": {
Expand Down
14 changes: 14 additions & 0 deletions sdks/node-sdk/src/Client.ts
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,20 @@ export class Client {
return this.#innerClient.isRegistered();
}

async isAddressAuthorized(
inboxId: string,
address: string,
): Promise<boolean> {
return this.#innerClient.isAddressAuthorized(inboxId, address);
}

async isInstallationAuthorized(
inboxId: string,
installationId: Uint8Array,
): Promise<boolean> {
return this.#innerClient.isInstallationAuthorized(inboxId, installationId);
}

async #createInboxSignatureText() {
try {
const signatureText = await this.#innerClient.createInboxSignatureText();
Expand Down
26 changes: 23 additions & 3 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -5065,7 +5065,7 @@ __metadata:
"@rollup/plugin-typescript": "npm:^12.1.1"
"@types/bl": "npm:^5.1.4"
"@xmtp/frames-client": "npm:^1.0.0"
"@xmtp/node-sdk": "npm:^0.0.27"
"@xmtp/node-sdk": "npm:^0.0.28"
"@xmtp/proto": "npm:^3.72.3"
"@xmtp/xmtp-js": "npm:^12.1.0"
ethers: "npm:^6.10.0"
Expand All @@ -5086,7 +5086,27 @@ __metadata:
languageName: node
linkType: hard

"@xmtp/node-sdk@npm:^0.0.27, @xmtp/node-sdk@workspace:sdks/node-sdk":
"@xmtp/node-bindings@npm:^0.0.24":
version: 0.0.24
resolution: "@xmtp/node-bindings@npm:0.0.24"
checksum: 10/3cd8cda6a0183c06e5ce8c5645ebc05cc714d191bb1be0ba359c6c084c91af88b0dfe0ce93c3299fe71bb691097de79af068bea069c673449fa69b188aa6895d
languageName: node
linkType: hard

"@xmtp/node-sdk@npm:^0.0.27":
version: 0.0.27
resolution: "@xmtp/node-sdk@npm:0.0.27"
dependencies:
"@xmtp/content-type-group-updated": "npm:^1.0.1"
"@xmtp/content-type-primitives": "npm:^1.0.3"
"@xmtp/content-type-text": "npm:^1.0.1"
"@xmtp/node-bindings": "npm:^0.0.22"
"@xmtp/proto": "npm:^3.72.3"
checksum: 10/9937c77d4bd3f3ed8df2f9938e940e2c21a7c8e8f06506d227bb97939f8294e0ae6ec6bc1498f528274257d61f9142e38639aa123c3ddf086a98d9cd041c0161
languageName: node
linkType: hard

"@xmtp/node-sdk@npm:^0.0.28, @xmtp/node-sdk@workspace:sdks/node-sdk":
version: 0.0.0-use.local
resolution: "@xmtp/node-sdk@workspace:sdks/node-sdk"
dependencies:
Expand All @@ -5097,7 +5117,7 @@ __metadata:
"@xmtp/content-type-group-updated": "npm:^1.0.1"
"@xmtp/content-type-primitives": "npm:^1.0.3"
"@xmtp/content-type-text": "npm:^1.0.1"
"@xmtp/node-bindings": "npm:^0.0.22"
"@xmtp/node-bindings": "npm:^0.0.24"
"@xmtp/proto": "npm:^3.72.3"
"@xmtp/xmtp-js": "workspace:^"
fast-glob: "npm:^3.3.2"
Expand Down
Loading