Merge pull request #38244 from MetaMask/release/13.10.4

gauthierpetetin · web-flow · commit 7c12e4b93148 · 2025-11-26T10:09:11.000+01:00
release: 13.10.4
diff --git a/.yarn/patches/@metamask-assets-controllers-npm-88.0.0-3dfc0ab8f1.patch b/.yarn/patches/@metamask-assets-controllers-npm-88.0.0-3dfc0ab8f1.patch
@@ -46,3 +46,16 @@ index 420934fb16ed6151b5b80fb7be04f81352b4aaf4..d735379adcaf77cbd46b4659f9bfd320
                      }
                  }
              });
+diff --git a/dist/token-prices-service/codefi-v2.cjs b/dist/token-prices-service/codefi-v2.cjs
+index f3c24e32ab755ae5c00e7d439600c4bab1587c71..df2932739853ab963f41a1d1270b1a6769c0ce88 100644
+--- a/dist/token-prices-service/codefi-v2.cjs
++++ b/dist/token-prices-service/codefi-v2.cjs
+@@ -98,6 +98,8 @@ exports.SUPPORTED_CURRENCIES = [
+     'mxn',
+     // Malaysian Ringgit
+     'myr',
++    // Monad
++    'mon',
+     // Nigerian Naira
+     'ngn',
+     // Norwegian Krone
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -80,6 +80,12 @@ npmAuditIgnoreAdvisories:
   - 'ts-custom-error (deprecation)'
   - 'text-encoding (deprecation)'
 
+  # Issue: `body-parser` denial of service vulnerability
+  # Seemingly only impacts v2.2.0, but we're on v1. The advisory range is overly wide.
+  # The attack vector also does not apply to how we use the package.
+  # URL: https://github.com/advisories/GHSA-wqch-xfxh-vrr4
+  - 1110857
+
   ### Package Deprecations:
 
   # React-tippy brings in popper.js and react-tippy has not been updated in
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [13.10.4]
+
+### Fixed
+
+- Signed deep links with empty `sig_params` with extra params as valid (#38142)
+- Adds mon as currency to fetch prices (#38261)
+- Removes sidepanel from chrome manifest files (#38242)
+
 ## [13.10.3]
 
 ### Fixed
@@ -1239,7 +1247,8 @@ authorized by the user.` error until the user fully revoked dapp
 - This changelog was split off with 12.22.0
 - All older changes can be found in [docs/CHANGELOG_older.md](https://github.com/MetaMask/metamask-extension/blob/main/docs/CHANGELOG_older.md)
 
-[Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v13.10.3...HEAD
+[Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v13.10.4...HEAD
+[13.10.4]: https://github.com/MetaMask/metamask-extension/compare/v13.10.3...v13.10.4
 [13.10.3]: https://github.com/MetaMask/metamask-extension/compare/v13.10.2...v13.10.3
 [13.10.2]: https://github.com/MetaMask/metamask-extension/compare/v13.10.1...v13.10.2
 [13.10.1]: https://github.com/MetaMask/metamask-extension/compare/v13.10.0...v13.10.1
diff --git a/app/manifest/v3/_base.json b/app/manifest/v3/_base.json
@@ -81,7 +81,6 @@
     "webRequest",
     "offscreen",
     "identity",
-    "sidePanel",
     "contextMenus"
   ],
   "sandbox": {
diff --git a/app/manifest/v3/chrome.json b/app/manifest/v3/chrome.json
@@ -10,8 +10,5 @@
     "matches": ["http://*/*", "https://*/*"],
     "ids": ["*"]
   },
-  "minimum_chrome_version": "115",
-  "side_panel": {
-    "default_path": "sidepanel.html"
-  }
+  "minimum_chrome_version": "115"
 }
diff --git a/builds.yml b/builds.yml
@@ -33,7 +33,7 @@ buildTypes:
       - REJECT_INVALID_SNAPS_PLATFORM_VERSION: true
       - IFRAME_EXECUTION_ENVIRONMENT_URL: https://execution.metamask.io/iframe/10.2.3/index.html
       - ACCOUNT_SNAPS_DIRECTORY_URL: https://snaps.metamask.io/account-management
-      - IS_SIDEPANEL: true
+      - IS_SIDEPANEL: false
       # for seedless onboarding (social login)
       - GOOGLE_PROD_CLIENT_ID
       - APPLE_PROD_CLIENT_ID
@@ -67,7 +67,7 @@ buildTypes:
       - REJECT_INVALID_SNAPS_PLATFORM_VERSION: true
       - IFRAME_EXECUTION_ENVIRONMENT_URL: https://execution.metamask.io/iframe/10.2.3/index.html
       - ACCOUNT_SNAPS_DIRECTORY_URL: https://snaps.metamask.io/account-management
-      - IS_SIDEPANEL: true
+      - IS_SIDEPANEL: false
       # for seedless onboarding (social login)
       - GOOGLE_BETA_CLIENT_ID
       - APPLE_BETA_CLIENT_ID
@@ -136,7 +136,7 @@ buildTypes:
       - SEGMENT_WRITE_KEY_REF: SEGMENT_FLASK_WRITE_KEY
       - ACCOUNT_SNAPS_DIRECTORY_URL: https://metamask.github.io/snaps-directory-staging/main/account-management
       - EIP_4337_ENTRYPOINT: '0x5FF137D4b0FDCD49DcA30c7CF57E578a026d2789'
-      - IS_SIDEPANEL: true
+      - IS_SIDEPANEL: false
       # for seedless onboarding (social login)
       - GOOGLE_FLASK_CLIENT_ID
       - APPLE_FLASK_CLIENT_ID
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "metamask-crx",
-  "version": "13.10.3",
+  "version": "13.10.4",
   "private": true,
   "repository": {
     "type": "git",
diff --git a/shared/lib/deep-links/canonicalize.test.ts b/shared/lib/deep-links/canonicalize.test.ts
@@ -82,4 +82,36 @@ describe('canonicalize', () => {
     expect(original.searchParams.get(SIG_PARAM)).toBe('abc');
     expect(original.searchParams.get(SIG_PARAMS_PARAM)).toBe('a,b');
   });
+
+  it('removes all params when `sig_params` is present but empty (no params signed)', () => {
+    const url = new URL(
+      `https://example.com/path?a=2&b=1&${SIG_PARAM}=abc&${SIG_PARAMS_PARAM}`,
+    );
+    // No a or b params should be included, only sig_params= should remain
+    expect(canonicalize(url)).toBe('https://example.com/path?sig_params=');
+  });
+
+  it('removes all params when `sig_params=` is present but empty (no params signed)', () => {
+    const url = new URL(
+      `https://example.com/path?a=2&b=1&${SIG_PARAM}=abc&${SIG_PARAMS_PARAM}=`,
+    );
+    // No a or b params should be included,  only sig_params= should remain
+    expect(canonicalize(url)).toBe('https://example.com/path?sig_params=');
+  });
+
+  it('treats URLs with `sig_params` (when no other params are included) as valid sig_params', () => {
+    const url = new URL(
+      `https://example.com/path?${SIG_PARAM}=abc&${SIG_PARAMS_PARAM}`,
+    );
+    // No params were included, but sig_params should still remain
+    expect(canonicalize(url)).toBe('https://example.com/path?sig_params=');
+  });
+
+  it('treats URLs with `sig_params=` (when no other params are included) as valid sig_params', () => {
+    const url = new URL(
+      `https://example.com/path?${SIG_PARAM}=abc&${SIG_PARAMS_PARAM}=`,
+    );
+    // No params were included, but sig_params should still remain
+    expect(canonicalize(url)).toBe('https://example.com/path?sig_params=');
+  });
 });
diff --git a/shared/lib/deep-links/canonicalize.ts b/shared/lib/deep-links/canonicalize.ts
@@ -13,14 +13,18 @@ export function canonicalize(url: URL): string {
 
   const sigParams = url.searchParams.get(SIG_PARAMS_PARAM);
 
-  if (sigParams) {
-    const allowedParams = sigParams.split(',');
+  if (typeof sigParams === 'string') {
     const signedParams = new URLSearchParams();
+    // sigParams might be "" (empty), in which case we
+    // don't need to split and search
+    if (sigParams) {
+      const allowedParams = sigParams.split(',');
 
-    for (const allowedParam of allowedParams) {
-      const values = url.searchParams.getAll(allowedParam);
-      for (const value of values) {
-        signedParams.append(allowedParam, value);
+      for (const allowedParam of allowedParams) {
+        const values = url.searchParams.getAll(allowedParam);
+        for (const value of values) {
+          signedParams.append(allowedParam, value);
+        }
       }
     }
 
diff --git a/shared/lib/deep-links/parse.test.ts b/shared/lib/deep-links/parse.test.ts
@@ -132,4 +132,39 @@ describe('parse', () => {
 
     expect(mockVerify).toHaveBeenCalledWith(new URL(urlStr));
   });
+
+  it("removes the SIG_PARAMS_PARAM from the handler's query parameters", async () => {
+    mockRoutes.set('/test', { handler: mockHandler } as unknown as Route);
+    mockVerify.mockResolvedValue(VALID);
+
+    const urlStr1 = 'https://example.com/test?sig=bar&sig_params=';
+    await parse(new URL(urlStr1));
+    // `sig_params` should be removed from the handler's searchParams
+    expect(mockHandler).toHaveBeenCalledWith(new URLSearchParams());
+
+    const urlStr2 =
+      'https://example.com/test?sig=bar&sig_params=value&value=123';
+    await parse(new URL(urlStr2));
+    // `sig_params` should be removed from the handler's searchParams, `value`
+    // should remain because it is listed in `sig_params`
+    expect(mockHandler).toHaveBeenCalledWith(
+      new URLSearchParams([['value', '123']]),
+    );
+
+    const urlStr3 = 'https://example.com/test?sig=bar&sig_params=&value=123';
+    await parse(new URL(urlStr3));
+    // `sig_params` should be removed from the handler's searchParams, `value`
+    // should also be removed because it is not in `sig_params`
+    expect(mockHandler).toHaveBeenCalledWith(new URLSearchParams());
+
+    const urlStr4 =
+      'https://example.com/test?sig=bar&sig_params=value&value=123&foo=bar';
+    await parse(new URL(urlStr4));
+    // `sig_params` should be removed from the handler's searchParams, `value`
+    // should remain because it is listed in `sig_params`, `foo` should be removed
+    // because it is not listed in `sig_params`
+    expect(mockHandler).toHaveBeenCalledWith(
+      new URLSearchParams([['value', '123']]),
+    );
+  });
 });
diff --git a/shared/lib/deep-links/routes/index.ts b/shared/lib/deep-links/routes/index.ts
@@ -33,6 +33,11 @@ export function addRoute(route: Route) {
   routes.set(route.pathname, route);
 }
 
+if (process.env.ENABLE_SETTINGS_PAGE_DEV_OPTIONS || process.env.IN_TEST) {
+  // eslint-disable-next-line @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires, node/global-require
+  addRoute(require('./test-route').default);
+}
+
 addRoute(buy);
 addRoute(home);
 addRoute(notifications);
diff --git a/shared/lib/deep-links/routes/route.ts b/shared/lib/deep-links/routes/route.ts
@@ -11,6 +11,7 @@ export {
   NOTIFICATIONS_ROUTE,
   SHIELD_PLAN_ROUTE,
   SETTINGS_ROUTE,
+  DEVELOPER_OPTIONS_ROUTE,
 } from '../../../../ui/helpers/constants/routes';
 
 /**
diff --git a/shared/lib/deep-links/routes/test-route.ts b/shared/lib/deep-links/routes/test-route.ts
@@ -0,0 +1,14 @@
+import { DEVELOPER_OPTIONS_ROUTE, Route } from './route';
+
+export default new Route({
+  pathname: '/test',
+  getTitle: (_: URLSearchParams) => 'deepLink_thePerpsPage',
+  handler: function handler(params: URLSearchParams) {
+    return {
+      // we use the developer options route for testing purposes
+      // because it doesn't rewrite query params
+      path: DEVELOPER_OPTIONS_ROUTE,
+      query: params,
+    };
+  },
+});
diff --git a/test/e2e/tests/deep-link/deep-link.spec.ts b/test/e2e/tests/deep-link/deep-link.spec.ts
@@ -592,16 +592,14 @@ and we'll take you to the right place.`
         const homePage = new HomePage(driver);
         await homePage.checkPageIsLoaded();
 
-        const rawUrl =
-          'https://link.metamask.io/home?foo=0&foo=1&bar=2&baz=3&sig_params=foo,bar';
-        const signedUrl = await signDeepLink(keyPair.privateKey, rawUrl, false);
+        const rawUrl = 'https://link.metamask.io/test?foo=0&foo=1&bar=2';
+        const signedUrl = `${await signDeepLink(keyPair.privateKey, rawUrl)}&baz=3`;
 
         await driver.openNewURL(signedUrl);
         const deepLink = new DeepLink(driver);
         await deepLink.checkPageIsLoaded();
-        const hashParams = getHashParams(new URL(await driver.getCurrentUrl()));
         await deepLink.clickContinueButton();
-        await homePage.checkPageIsLoaded();
+        const hashParams = getHashParams(new URL(await driver.getCurrentUrl()));
 
         assert.deepStrictEqual(hashParams.getAll('foo'), ['0', '1']);
         assert.deepStrictEqual(hashParams.getAll('bar'), ['2']);
@@ -610,7 +608,7 @@ and we'll take you to the right place.`
     );
   });
 
-  it('signed without sig_params exposes all params (foo, bar, baz)', async function () {
+  it('signed with empty sig_params, but url has extra params added, does not expose extra params', async function () {
     await withFixtures(
       await getConfig(this.test?.fullTitle()),
       async ({ driver }: { driver: Driver }) => {
@@ -621,16 +619,65 @@ and we'll take you to the right place.`
         const homePage = new HomePage(driver);
         await homePage.checkPageIsLoaded();
 
-        const rawUrl = 'https://link.metamask.io/home?foo=1&bar=2&baz=3';
-        const signedUrl = await signDeepLink(keyPair.privateKey, rawUrl, false);
+        const rawUrl = 'https://link.metamask.io/test';
+        const signedUrl = `${await signDeepLink(keyPair.privateKey, rawUrl)}&foo=0&foo=1&bar=2&baz=3`;
 
         await driver.openNewURL(signedUrl);
         const deepLink = new DeepLink(driver);
         await deepLink.checkPageIsLoaded();
+        await deepLink.clickContinueButton();
         const hashParams = getHashParams(new URL(await driver.getCurrentUrl()));
+
+        assert.deepStrictEqual(hashParams.size, 0);
+      },
+    );
+  });
+
+  it('signed with sig_params, url has no extra params added, works', async function () {
+    await withFixtures(
+      await getConfig(this.test?.fullTitle()),
+      async ({ driver }: { driver: Driver }) => {
+        await driver.navigate();
+        const loginPage = new LoginPage(driver);
+        await loginPage.checkPageIsLoaded();
+        await loginPage.loginToHomepage();
+        const homePage = new HomePage(driver);
+        await homePage.checkPageIsLoaded();
+
+        const rawUrl = 'https://link.metamask.io/test';
+        const signedUrl = await signDeepLink(keyPair.privateKey, rawUrl);
+
+        await driver.openNewURL(signedUrl);
+        const deepLink = new DeepLink(driver);
+        await deepLink.checkPageIsLoaded();
         await deepLink.clickContinueButton();
+        const hashParams = getHashParams(new URL(await driver.getCurrentUrl()));
+
+        assert.deepStrictEqual(hashParams.size, 0);
+      },
+    );
+  });
+
+  it('signed without sig_params exposes all params (foo, bar, baz)', async function () {
+    await withFixtures(
+      await getConfig(this.test?.fullTitle()),
+      async ({ driver }: { driver: Driver }) => {
+        await driver.navigate();
+        const loginPage = new LoginPage(driver);
+        await loginPage.checkPageIsLoaded();
+        await loginPage.loginToHomepage();
+        const homePage = new HomePage(driver);
         await homePage.checkPageIsLoaded();
 
+        const rawUrl = 'https://link.metamask.io/test?foo=1&bar=2&baz=3';
+        const signedUrl = await signDeepLink(keyPair.privateKey, rawUrl, false);
+
+        await driver.openNewURL(signedUrl);
+        const deepLink = new DeepLink(driver);
+        await deepLink.checkPageIsLoaded();
+        await deepLink.clickContinueButton();
+        const hashParams = getHashParams(new URL(await driver.getCurrentUrl()));
+
         assert.deepStrictEqual(hashParams.getAll('foo'), ['1']);
         assert.deepStrictEqual(hashParams.getAll('bar'), ['2']);
         assert.deepStrictEqual(hashParams.getAll('baz'), ['3']);
@@ -649,14 +696,13 @@ and we'll take you to the right place.`
         const homePage = new HomePage(driver);
         await homePage.checkPageIsLoaded();
 
-        const rawUrl = 'https://link.metamask.io/home?foo=1&foo=2&bar=3';
+        const rawUrl = 'https://link.metamask.io/test?foo=1&foo=2&bar=3';
 
         await driver.openNewURL(rawUrl);
         const deepLink = new DeepLink(driver);
         await deepLink.checkPageIsLoaded();
-        const hashParams = getHashParams(new URL(await driver.getCurrentUrl()));
         await deepLink.clickContinueButton();
-        await homePage.checkPageIsLoaded();
+        const hashParams = getHashParams(new URL(await driver.getCurrentUrl()));
 
         assert.deepStrictEqual(hashParams.getAll('foo'), ['1', '2']);
         assert.deepStrictEqual(hashParams.getAll('bar'), ['3']);
diff --git a/test/e2e/tests/deep-link/helpers.ts b/test/e2e/tests/deep-link/helpers.ts
@@ -38,10 +38,8 @@ export async function signDeepLink(
   if (withSigParams) {
     const sigParams = [...new Set(signedUrl.searchParams.keys())];
 
-    if (sigParams.length) {
-      signedUrl.searchParams.append(SIG_PARAMS_PARAM, sigParams.join(','));
-      signedUrl.searchParams.sort();
-    }
+    signedUrl.searchParams.append(SIG_PARAMS_PARAM, sigParams.join(','));
+    signedUrl.searchParams.sort();
   }
 
   const signed = await crypto.subtle.sign(
@@ -98,9 +96,5 @@ export function cartesianProduct<T extends unknown[][]>(...sets: T) {
 export function getHashParams(url: URL) {
   const hash = url.hash.slice(1); // remove leading '#'
   const hashQuery = hash.split('?')[1] ?? '';
-  const hashParams = new URLSearchParams(hashQuery);
-  const encodedUrl = hashParams.get('u') ?? '';
-  const decodedUrl = decodeURIComponent(encodedUrl);
-  const decodedQuery = decodedUrl.split('?')[1] ?? '';
-  return new URLSearchParams(decodedQuery);
+  return new URLSearchParams(hashQuery);
 }
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "metamask-crx",`
`3`		`- "version": "13.10.3",`
	`3`	`+ "version": "13.10.4",`
`4`	`4`	`"private": true,`
`5`	`5`	`"repository": {`
`6`	`6`	`"type": "git",`