Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Static Frames Validation Security Fix #736

Merged
merged 30 commits into from
Dec 2, 2024
Merged

Static Frames Validation Security Fix #736

Show file tree
Hide file tree
Changes from 9 commits
Commits
Show all changes
30 commits
Select commit Hold shift + click to select a range
35ea1f6
authorize with lib
codabrink Nov 26, 2024
c2123dc
wip
codabrink Nov 26, 2024
13aac7f
bump node bindings
codabrink Nov 26, 2024
9badaec
await
codabrink Nov 26, 2024
d60ddf4
messaging
codabrink Nov 26, 2024
cda619b
check the wallet
codabrink Nov 26, 2024
8ada32b
bump
codabrink Nov 26, 2024
8d2e9a6
yarn install
codabrink Nov 26, 2024
e530d1b
bump node bindings
codabrink Nov 26, 2024
9dc3773
Merge remote-tracking branch 'origin/main' into coda/frames-check
codabrink Nov 26, 2024
c33fa9e
bump node sdk version
codabrink Nov 26, 2024
3d4fa7e
fix
codabrink Nov 27, 2024
2cf9051
random client
codabrink Nov 27, 2024
0eae3f6
new bindings
codabrink Nov 28, 2024
844e312
update the validator
codabrink Nov 28, 2024
23414fe
bump node-sdk
codabrink Nov 28, 2024
1123a40
fix version
codabrink Nov 28, 2024
4367eb1
cleanup
codabrink Nov 28, 2024
5714605
cleanup
codabrink Nov 28, 2024
7fbb4d1
lint
codabrink Nov 28, 2024
de13a4b
bump version
codabrink Nov 28, 2024
c8e1568
update the frame url
nplasterer Nov 28, 2024
579854d
missing quote
nplasterer Nov 28, 2024
a3dbb24
one more bump to the urls
nplasterer Nov 28, 2024
be75090
Merge branch 'main' into coda/frames-check
rygine Dec 2, 2024
7968cea
Undo frame-validator version bump
rygine Dec 2, 2024
9db45bf
Refactor node client API
rygine Dec 2, 2024
6ab5830
Merge branch 'main' into coda/frames-check
rygine Dec 2, 2024
ae0a28c
Upgrade Node SDK
rygine Dec 2, 2024
1d2dab8
Create lemon-rockets-do.md
rygine Dec 2, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion packages/frames-validator/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@
"dependencies": {
"@noble/curves": "^1.3.0",
"@noble/hashes": "^1.4.0",
"@xmtp/node-sdk": "^0.0.27",
"@xmtp/node-sdk": "^0.0.28",
"@xmtp/proto": "^3.72.3",
"uint8array-extras": "^1.4.0",
"viem": "^2.16.5"
Expand Down
16 changes: 12 additions & 4 deletions packages/frames-validator/src/validation.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@ export async function validateFramesPost(
actionBodyBytes,
signature,
signedPublicKeyBundle,
installationId, // not necessary
installationId,
codabrink marked this conversation as resolved.
Show resolved Hide resolved
installationSignature,
inboxId,
} = deserializeProtoMessage(messageBytes);
Expand All @@ -48,9 +48,17 @@ export async function validateFramesPost(
}
} else {
// make sure inbox IDs match
const addressInboxId = await getInboxIdForAddress(walletAddress, env);
if (inboxId !== addressInboxId) {
throw new Error("Invalid inbox ID");
const authorized = await Client.isInstallationAuthorized(
codabrink marked this conversation as resolved.
Show resolved Hide resolved
inboxId,
installationId,
);
if (!authorized) {
throw new Error("Installation not a member of association state");
}
codabrink marked this conversation as resolved.
Show resolved Hide resolved

const isMember = await Client.isAddressAuthorized(inboxId, walletAddress);
if (!isMember) {
throw new Error("Unable to associate wallet address with inbox");
}

const digest = sha256(actionBodyBytes);
Expand Down
4 changes: 2 additions & 2 deletions sdks/node-sdk/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@xmtp/node-sdk",
"version": "0.0.27",
"version": "0.0.28",
"description": "XMTP Node client SDK for interacting with XMTP networks",
"keywords": [
"xmtp",
Expand Down Expand Up @@ -53,7 +53,7 @@
"@xmtp/content-type-group-updated": "^1.0.1",
"@xmtp/content-type-primitives": "^1.0.3",
"@xmtp/content-type-text": "^1.0.1",
"@xmtp/node-bindings": "^0.0.22",
codabrink marked this conversation as resolved.
Show resolved Hide resolved
"@xmtp/node-bindings": "^0.0.25",
"@xmtp/proto": "^3.72.3"
},
"devDependencies": {
Expand Down
14 changes: 14 additions & 0 deletions sdks/node-sdk/src/Client.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,20 @@ export class Client {
return this.#innerClient.isRegistered();
}

async isAddressAuthorized(
inboxId: string,
address: string,
): Promise<boolean> {
return this.#innerClient.isAddressAuthorized(inboxId, address);
}

async isInstallationAuthorized(
inboxId: string,
installationId: Uint8Array,
): Promise<boolean> {
return this.#innerClient.isInstallationAuthorized(inboxId, installationId);
}

async #createInboxSignatureText() {
try {
const signatureText = await this.#innerClient.createInboxSignatureText();
Expand Down
26 changes: 23 additions & 3 deletions yarn.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5065,7 +5065,7 @@ __metadata:
"@rollup/plugin-typescript": "npm:^12.1.1"
"@types/bl": "npm:^5.1.4"
"@xmtp/frames-client": "npm:^1.0.0"
"@xmtp/node-sdk": "npm:^0.0.27"
"@xmtp/node-sdk": "npm:^0.0.28"
"@xmtp/proto": "npm:^3.72.3"
"@xmtp/xmtp-js": "npm:^12.1.0"
ethers: "npm:^6.10.0"
Expand All @@ -5086,7 +5086,27 @@ __metadata:
languageName: node
linkType: hard

"@xmtp/node-sdk@npm:^0.0.27, @xmtp/node-sdk@workspace:sdks/node-sdk":
"@xmtp/node-bindings@npm:^0.0.25":
version: 0.0.25
resolution: "@xmtp/node-bindings@npm:0.0.25"
checksum: 10/336f9b2a4a8b2781f6c53a7dd444428893f5e04a927350c82fcb79e37e0cc69abcb86406ffedeaa28115f1b57801890309546a10c9e806e3ed81b18b9d8f1431
languageName: node
linkType: hard

"@xmtp/node-sdk@npm:^0.0.27":
version: 0.0.27
resolution: "@xmtp/node-sdk@npm:0.0.27"
dependencies:
"@xmtp/content-type-group-updated": "npm:^1.0.1"
"@xmtp/content-type-primitives": "npm:^1.0.3"
"@xmtp/content-type-text": "npm:^1.0.1"
"@xmtp/node-bindings": "npm:^0.0.22"
"@xmtp/proto": "npm:^3.72.3"
checksum: 10/9937c77d4bd3f3ed8df2f9938e940e2c21a7c8e8f06506d227bb97939f8294e0ae6ec6bc1498f528274257d61f9142e38639aa123c3ddf086a98d9cd041c0161
languageName: node
linkType: hard

"@xmtp/node-sdk@npm:^0.0.28, @xmtp/node-sdk@workspace:sdks/node-sdk":
version: 0.0.0-use.local
resolution: "@xmtp/node-sdk@workspace:sdks/node-sdk"
dependencies:
Expand All @@ -5097,7 +5117,7 @@ __metadata:
"@xmtp/content-type-group-updated": "npm:^1.0.1"
"@xmtp/content-type-primitives": "npm:^1.0.3"
"@xmtp/content-type-text": "npm:^1.0.1"
"@xmtp/node-bindings": "npm:^0.0.22"
"@xmtp/node-bindings": "npm:^0.0.25"
"@xmtp/proto": "npm:^3.72.3"
"@xmtp/xmtp-js": "workspace:^"
fast-glob: "npm:^3.3.2"
Expand Down
Loading