Merge branch 'master' into transactionControllerRefractor

feature/default_network_editable
frankiebee 7 years ago
commit 89a4fef1e4
  1. 3
      CHANGELOG.md
  2. 11
      app/manifest.json
  3. 34
      app/scripts/background.js
  4. 14
      app/scripts/blacklister.js
  5. 22
      app/scripts/contentscript.js
  6. 58
      app/scripts/controllers/blacklist.js
  7. 16
      app/scripts/controllers/infura.js
  8. 3
      app/scripts/controllers/transactions.js
  9. 3
      app/scripts/lib/inpage-provider.js
  10. 38
      app/scripts/lib/is-phish.js
  11. 3
      app/scripts/lib/nodeify.js
  12. 16
      app/scripts/lib/obj-multiplex.js
  13. 25
      app/scripts/metamask-controller.js
  14. 1
      gulpfile.js
  15. 6
      package.json
  16. 6
      test/unit/actions/tx_test.js
  17. 41
      test/unit/blacklist-controller-test.js
  18. 24
      test/unit/blacklister-test.js
  19. 11
      test/unit/nodeify-test.js
  20. 7
      ui/app/actions.js

@ -2,6 +2,9 @@
## Current Master
## 3.9.3 2017-8-03
- Add support for EGO uport token
- Continuously update blacklist for known phishing sites in background.
- Automatically detect suspicious URLs too similar to common phishing targets, and blacklist them.

@ -1,7 +1,7 @@
{
"name": "MetaMask",
"short_name": "Metamask",
"version": "3.9.2",
"version": "3.9.3",
"manifest_version": 2,
"author": "https://metamask.io",
"description": "Ethereum Browser Extension",
@ -52,15 +52,6 @@
],
"run_at": "document_start",
"all_frames": true
},
{
"run_at": "document_start",
"matches": [
"http://*/*",
"https://*/*"
],
"js": ["scripts/blacklister.js"],
"all_frames": true
}
],
"permissions": [

@ -11,7 +11,6 @@ const NotificationManager = require('./lib/notification-manager.js')
const MetamaskController = require('./metamask-controller')
const extension = require('extensionizer')
const firstTimeState = require('./first-time-state')
const isPhish = require('./lib/is-phish')
const STORAGE_KEY = 'metamask-config'
const METAMASK_DEBUG = 'GULP_METAMASK_DEBUG'
@ -91,16 +90,12 @@ function setupController (initState) {
extension.runtime.onConnect.addListener(connectRemote)
function connectRemote (remotePort) {
if (remotePort.name === 'blacklister') {
return checkBlacklist(remotePort)
}
var isMetaMaskInternalProcess = remotePort.name === 'popup' || remotePort.name === 'notification'
var portStream = new PortStream(remotePort)
const isMetaMaskInternalProcess = remotePort.name === 'popup' || remotePort.name === 'notification'
const portStream = new PortStream(remotePort)
if (isMetaMaskInternalProcess) {
// communication with popup
popupIsOpen = popupIsOpen || (remotePort.name === 'popup')
controller.setupTrustedCommunication(portStream, 'MetaMask', remotePort.name)
controller.setupTrustedCommunication(portStream, 'MetaMask')
// record popup as closed
if (remotePort.name === 'popup') {
endOfStream(portStream, () => {
@ -109,7 +104,7 @@ function setupController (initState) {
}
} else {
// communication with page
var originDomain = urlUtil.parse(remotePort.sender.url).hostname
const originDomain = urlUtil.parse(remotePort.sender.url).hostname
controller.setupUntrustedCommunication(portStream, originDomain)
}
}
@ -140,27 +135,6 @@ function setupController (initState) {
return Promise.resolve()
}
// Listen for new pages and return if blacklisted:
function checkBlacklist (port) {
const handler = handleNewPageLoad.bind(null, port)
port.onMessage.addListener(handler)
setTimeout(() => {
port.onMessage.removeListener(handler)
}, 30000)
}
function handleNewPageLoad (port, message) {
const { pageLoaded } = message
if (!pageLoaded || !global.metamaskController) return
const state = global.metamaskController.getState()
const updatedBlacklist = state.blacklist
if (isPhish({ updatedBlacklist, hostname: pageLoaded })) {
port.postMessage({ 'blacklist': pageLoaded })
}
}
//
// Etc...
//

@ -1,14 +0,0 @@
const extension = require('extensionizer')
var port = extension.runtime.connect({name: 'blacklister'})
port.postMessage({ 'pageLoaded': window.location.hostname })
port.onMessage.addListener(redirectIfBlacklisted)
function redirectIfBlacklisted (response) {
const { blacklist } = response
const host = window.location.hostname
if (blacklist && blacklist === host) {
window.location.href = 'https://metamask.io/phishing.html'
}
}

@ -37,28 +37,33 @@ function setupInjection () {
function setupStreams () {
// setup communication to page and plugin
var pageStream = new LocalMessageDuplexStream({
const pageStream = new LocalMessageDuplexStream({
name: 'contentscript',
target: 'inpage',
})
pageStream.on('error', console.error)
var pluginPort = extension.runtime.connect({name: 'contentscript'})
var pluginStream = new PortStream(pluginPort)
const pluginPort = extension.runtime.connect({ name: 'contentscript' })
const pluginStream = new PortStream(pluginPort)
pluginStream.on('error', console.error)
// forward communication plugin->inpage
pageStream.pipe(pluginStream).pipe(pageStream)
// setup local multistream channels
var mx = ObjectMultiplex()
const mx = ObjectMultiplex()
mx.on('error', console.error)
mx.pipe(pageStream).pipe(mx)
mx.pipe(pluginStream).pipe(mx)
// connect ping stream
var pongStream = new PongStream({ objectMode: true })
const pongStream = new PongStream({ objectMode: true })
pongStream.pipe(mx.createStream('pingpong')).pipe(pongStream)
// ignore unused channels (handled by background)
// connect phishing warning stream
const phishingStream = mx.createStream('phishing')
phishingStream.once('data', redirectToPhishingWarning)
// ignore unused channels (handled by background, inpage)
mx.ignoreStream('provider')
mx.ignoreStream('publicConfig')
}
@ -88,3 +93,8 @@ function suffixCheck () {
}
return true
}
function redirectToPhishingWarning () {
console.log('MetaMask - redirecting to phishing warning')
window.location.href = 'https://metamask.io/phishing.html'
}

@ -0,0 +1,58 @@
const ObservableStore = require('obs-store')
const extend = require('xtend')
const PhishingDetector = require('eth-phishing-detect/src/detector')
// compute phishing lists
const PHISHING_DETECTION_CONFIG = require('eth-phishing-detect/src/config.json')
// every ten minutes
const POLLING_INTERVAL = 10 * 60 * 1000
class BlacklistController {
constructor (opts = {}) {
const initState = extend({
phishing: PHISHING_DETECTION_CONFIG,
}, opts.initState)
this.store = new ObservableStore(initState)
// phishing detector
this._phishingDetector = null
this._setupPhishingDetector(initState.phishing)
// polling references
this._phishingUpdateIntervalRef = null
}
//
// PUBLIC METHODS
//
checkForPhishing (hostname) {
if (!hostname) return false
const { result } = this._phishingDetector.check(hostname)
return result
}
async updatePhishingList () {
const response = await fetch('https://api.infura.io/v2/blacklist')
const phishing = await response.json()
this.store.updateState({ phishing })
this._setupPhishingDetector(phishing)
return phishing
}
scheduleUpdates () {
if (this._phishingUpdateIntervalRef) return
this._phishingUpdateIntervalRef = setInterval(() => {
this.updatePhishingList()
}, POLLING_INTERVAL)
}
//
// PRIVATE METHODS
//
_setupPhishingDetector (config) {
this._phishingDetector = new PhishingDetector(config)
}
}
module.exports = BlacklistController

@ -1,16 +1,14 @@
const ObservableStore = require('obs-store')
const extend = require('xtend')
const recentBlacklist = require('etheraddresslookup/blacklists/domains.json')
// every ten minutes
const POLLING_INTERVAL = 300000
const POLLING_INTERVAL = 10 * 60 * 1000
class InfuraController {
constructor (opts = {}) {
const initState = extend({
infuraNetworkStatus: {},
blacklist: recentBlacklist,
}, opts.initState)
this.store = new ObservableStore(initState)
}
@ -32,24 +30,12 @@ class InfuraController {
})
}
updateLocalBlacklist () {
return fetch('https://api.infura.io/v1/blacklist')
.then(response => response.json())
.then((parsedResponse) => {
this.store.updateState({
blacklist: parsedResponse,
})
return parsedResponse
})
}
scheduleInfuraNetworkCheck () {
if (this.conversionInterval) {
clearInterval(this.conversionInterval)
}
this.conversionInterval = setInterval(() => {
this.checkInfuraNetworkStatus()
this.updateLocalBlacklist()
}, POLLING_INTERVAL)
}
}

@ -6,7 +6,6 @@ const ethUtil = require('ethereumjs-util')
const EthQuery = require('ethjs-query')
const TxProviderUtil = require('../lib/tx-utils')
const PendingTransactionUtils = require('../lib/pending-tx-watchers')
const getStack = require('../lib/util').getStack
const createId = require('../lib/random-id')
const NonceTracker = require('../lib/nonce-tracker')
@ -125,8 +124,6 @@ module.exports = class TransactionController extends EventEmitter {
const txMetaForHistory = clone(txMeta)
// dont include previous history in this snapshot
delete txMetaForHistory.history
// add stack to help understand why tx was updated
txMetaForHistory.stack = getStack()
// add snapshot to tx history
if (!txMeta.history) txMeta.history = []
txMeta.history.push(txMetaForHistory)

@ -26,6 +26,9 @@ function MetamaskInpageProvider (connectionStream) {
(err) => logStreamDisconnectWarning('MetaMask PublicConfigStore', err)
)
// ignore phishing warning message (handled elsewhere)
multiStream.ignoreStream('phishing')
// connect to async provider
const asyncProvider = self.asyncProvider = new StreamProvider()
pipe(

@ -1,38 +0,0 @@
const levenshtein = require('fast-levenshtein')
const blacklistedMetaMaskDomains = ['metamask.com']
let blacklistedDomains = require('etheraddresslookup/blacklists/domains.json').concat(blacklistedMetaMaskDomains)
const whitelistedMetaMaskDomains = ['metamask.io', 'www.metamask.io']
const whitelistedDomains = require('etheraddresslookup/whitelists/domains.json').concat(whitelistedMetaMaskDomains)
const LEVENSHTEIN_TOLERANCE = 4
const LEVENSHTEIN_CHECKS = ['myetherwallet', 'myetheroll', 'ledgerwallet', 'metamask']
// credit to @sogoiii and @409H for their help!
// Return a boolean on whether or not a phish is detected.
function isPhish({ hostname, updatedBlacklist = null }) {
var strCurrentTab = hostname
// check if the domain is part of the whitelist.
if (whitelistedDomains && whitelistedDomains.includes(strCurrentTab)) { return false }
// Allow updating of blacklist:
if (updatedBlacklist) {
blacklistedDomains = blacklistedDomains.concat(updatedBlacklist)
}
// check if the domain is part of the blacklist.
const isBlacklisted = blacklistedDomains && blacklistedDomains.includes(strCurrentTab)
// check for similar values.
let levenshteinMatched = false
var levenshteinForm = strCurrentTab.replace(/\./g, '')
LEVENSHTEIN_CHECKS.forEach((element) => {
if (levenshtein.get(element, levenshteinForm) <= LEVENSHTEIN_TOLERANCE) {
levenshteinMatched = true
}
})
return isBlacklisted || levenshteinMatched
}
module.exports = isPhish

@ -1,9 +1,10 @@
const promiseToCallback = require('promise-to-callback')
module.exports = function(fn, context) {
module.exports = function nodeify (fn, context) {
return function(){
const args = [].slice.call(arguments)
const callback = args.pop()
if (typeof callback !== 'function') throw new Error('callback is not a function')
promiseToCallback(fn.apply(context, args))(callback)
}
}

@ -5,12 +5,16 @@ module.exports = ObjectMultiplex
function ObjectMultiplex (opts) {
opts = opts || {}
// create multiplexer
var mx = through.obj(function (chunk, enc, cb) {
var name = chunk.name
var data = chunk.data
var substream = mx.streams[name]
const mx = through.obj(function (chunk, enc, cb) {
const name = chunk.name
const data = chunk.data
if (!name) {
console.warn(`ObjectMultiplex - Malformed chunk without name "${chunk}"`)
return cb()
}
const substream = mx.streams[name]
if (!substream) {
console.warn(`orphaned data for stream "${name}"`)
console.warn(`ObjectMultiplex - orphaned data for stream "${name}"`)
} else {
if (substream.push) substream.push(data)
}
@ -19,7 +23,7 @@ function ObjectMultiplex (opts) {
mx.streams = {}
// create substreams
mx.createStream = function (name) {
var substream = mx.streams[name] = through.obj(function (chunk, enc, cb) {
const substream = mx.streams[name] = through.obj(function (chunk, enc, cb) {
mx.push({
name: name,
data: chunk,

@ -16,6 +16,7 @@ const NoticeController = require('./notice-controller')
const ShapeShiftController = require('./controllers/shapeshift')
const AddressBookController = require('./controllers/address-book')
const InfuraController = require('./controllers/infura')
const BlacklistController = require('./controllers/blacklist')
const MessageManager = require('./lib/message-manager')
const PersonalMessageManager = require('./lib/personal-message-manager')
const TransactionController = require('./controllers/transactions')
@ -69,6 +70,10 @@ module.exports = class MetamaskController extends EventEmitter {
})
this.infuraController.scheduleInfuraNetworkCheck()
this.blacklistController = new BlacklistController({
initState: initState.BlacklistController,
})
this.blacklistController.scheduleUpdates()
// rpc provider
this.provider = this.initializeProvider()
@ -152,6 +157,9 @@ module.exports = class MetamaskController extends EventEmitter {
this.networkController.store.subscribe((state) => {
this.store.updateState({ NetworkController: state })
})
this.blacklistController.store.subscribe((state) => {
this.store.updateState({ BlacklistController: state })
})
this.infuraController.store.subscribe((state) => {
this.store.updateState({ InfuraController: state })
})
@ -327,8 +335,15 @@ module.exports = class MetamaskController extends EventEmitter {
}
setupUntrustedCommunication (connectionStream, originDomain) {
// Check if new connection is blacklisted
if (this.blacklistController.checkForPhishing(originDomain)) {
console.log('MetaMask - sending phishing warning for', originDomain)
this.sendPhishingWarning(connectionStream, originDomain)
return
}
// setup multiplexing
var mx = setupMultiplex(connectionStream)
const mx = setupMultiplex(connectionStream)
// connect features
this.setupProviderConnection(mx.createStream('provider'), originDomain)
this.setupPublicConfig(mx.createStream('publicConfig'))
@ -336,12 +351,18 @@ module.exports = class MetamaskController extends EventEmitter {
setupTrustedCommunication (connectionStream, originDomain) {
// setup multiplexing
var mx = setupMultiplex(connectionStream)
const mx = setupMultiplex(connectionStream)
// connect features
this.setupControllerConnection(mx.createStream('controller'))
this.setupProviderConnection(mx.createStream('provider'), originDomain)
}
sendPhishingWarning (connectionStream, hostname) {
const mx = setupMultiplex(connectionStream)
const phishingStream = mx.createStream('phishing')
phishingStream.write({ hostname })
}
setupControllerConnection (outStream) {
const api = this.getApi()
const dnode = Dnode(api)

@ -172,7 +172,6 @@ gulp.task('default', ['lint'], function () {
const jsFiles = [
'inpage',
'contentscript',
'blacklister',
'background',
'popup',
]

@ -7,7 +7,7 @@
"start": "npm run dev",
"dev": "gulp dev --debug",
"disc": "gulp disc --debug",
"clear": "rm -rf node_modules/eth-contract-metadata && rm -rf node_modules/etheraddresslookup",
"clear": "rm -rf node_modules/eth-contract-metadata && rm -rf node_modules/eth-phishing-detect",
"dist": "npm run clear && npm install && gulp dist",
"test": "npm run lint && npm run test-unit && npm run test-integration",
"test-unit": "METAMASK_ENV=test mocha --require test/helper.js --recursive \"test/unit/**/*.js\"",
@ -69,11 +69,11 @@
"eth-bin-to-ops": "^1.0.1",
"eth-contract-metadata": "^1.1.4",
"eth-hd-keyring": "^1.1.1",
"eth-phishing-detect": "^1.1.0",
"eth-query": "^2.1.2",
"eth-sig-util": "^1.2.2",
"eth-simple-keyring": "^1.1.1",
"eth-token-tracker": "^1.1.2",
"etheraddresslookup": "github:409H/EtherAddressLookup",
"ethereumjs-tx": "^1.3.0",
"ethereumjs-util": "ethereumjs/ethereumjs-util#ac5d0908536b447083ea422b435da27f26615de9",
"ethereumjs-wallet": "^0.6.0",
@ -128,7 +128,7 @@
"sw-stream": "^2.0.0",
"textarea-caret": "^3.0.1",
"three.js": "^0.73.2",
"through2": "^2.0.1",
"through2": "^2.0.3",
"valid-url": "^1.0.9",
"vreme": "^3.0.2",
"web3": "0.19.1",

@ -45,15 +45,17 @@ describe('tx confirmation screen', function () {
before(function (done) {
actions._setBackgroundConnection({
approveTransaction (txId, cb) { cb('An error!') },
cancelTransaction (txId) { /* noop */ },
cancelTransaction (txId, cb) { cb() },
clearSeedWordCache (cb) { cb() },
})
const action = actions.cancelTx({value: firstTxId})
actions.cancelTx({value: firstTxId})((action) => {
result = reducers(initialState, action)
done()
})
})
it('should transition to the account detail view', function () {
assert.equal(result.appState.currentView.name, 'accountDetail')
})

@ -0,0 +1,41 @@
const assert = require('assert')
const BlacklistController = require('../../app/scripts/controllers/blacklist')
describe('blacklist controller', function () {
let blacklistController
before(() => {
blacklistController = new BlacklistController()
})
describe('checkForPhishing', function () {
it('should not flag whitelisted values', function () {
const result = blacklistController.checkForPhishing('www.metamask.io')
assert.equal(result, false)
})
it('should flag explicit values', function () {
const result = blacklistController.checkForPhishing('metamask.com')
assert.equal(result, true)
})
it('should flag levenshtein values', function () {
const result = blacklistController.checkForPhishing('metmask.io')
assert.equal(result, true)
})
it('should not flag not-even-close values', function () {
const result = blacklistController.checkForPhishing('example.com')
assert.equal(result, false)
})
it('should not flag the ropsten faucet domains', function () {
const result = blacklistController.checkForPhishing('faucet.metamask.io')
assert.equal(result, false)
})
it('should not flag the mascara domain', function () {
const result = blacklistController.checkForPhishing('zero.metamask.io')
assert.equal(result, false)
})
it('should not flag the mascara-faucet domain', function () {
const result = blacklistController.checkForPhishing('zero-faucet.metamask.io')
assert.equal(result, false)
})
})
})

@ -1,24 +0,0 @@
const assert = require('assert')
const isPhish = require('../../app/scripts/lib/is-phish')
describe('blacklister', function () {
describe('#isPhish', function () {
it('should not flag whitelisted values', function () {
var result = isPhish({ hostname: 'www.metamask.io' })
assert(!result)
})
it('should flag explicit values', function () {
var result = isPhish({ hostname: 'metamask.com' })
assert(result)
})
it('should flag levenshtein values', function () {
var result = isPhish({ hostname: 'metmask.com' })
assert(result)
})
it('should not flag not-even-close values', function () {
var result = isPhish({ hostname: 'example.com' })
assert(!result)
})
})
})

@ -17,4 +17,15 @@ describe('nodeify', function () {
done()
})
})
it('should throw if the last argument is not a function', function (done) {
const nodified = nodeify(obj.promiseFunc, obj)
try {
nodified('baz')
done(new Error('should have thrown if the last argument is not a function'))
} catch (err) {
assert.equal(err.message, 'callback is not a function')
done()
}
})
})

@ -462,9 +462,12 @@ function cancelPersonalMsg (msgData) {
}
function cancelTx (txData) {
return (dispatch) => {
log.debug(`background.cancelTransaction`)
background.cancelTransaction(txData.id)
return actions.completedTx(txData.id)
background.cancelTransaction(txData.id, () => {
dispatch(actions.completedTx(txData.id))
})
}
}
//

Loading…
Cancel
Save