Merge pull request 'fix: low-severity security findings L3, L4, L5 (closes #6)' (#8) from fix/low-severity-security into main

Reviewed-on: #8

src/content/index.js

@@ -13,6 +13,26 @@ if (typeof browser !== "undefined") {
     (document.head || document.documentElement).appendChild(script);
 }
 
+// Send the persisted EIP-6963 provider UUID to the inpage script.
+// Generated once at install time and stored in chrome.storage.local.
+(function sendProviderUuid() {
+    const storage =
+        typeof browser !== "undefined"
+            ? browser.storage.local
+            : chrome.storage.local;
+    storage.get("eip6963Uuid", (items) => {
+        let uuid = items?.eip6963Uuid;
+        if (!uuid) {
+            uuid = crypto.randomUUID();
+            storage.set({ eip6963Uuid: uuid });
+        }
+        window.postMessage(
+            { type: "AUTISTMASK_PROVIDER_UUID", uuid },
+            location.origin,
+        );
+    });
+})();
+
 // Relay requests from the page to the background script
 window.addEventListener("message", (event) => {
     if (event.source !== window) return;

src/content/inpage.js

@@ -9,7 +9,7 @@
     const pending = {};
 
     // Listen for responses from the content script
-    window.addEventListener("message", (event) => {
+    window.addEventListener("message", function onUuid(event) {
         if (event.source !== window) return;
         if (event.data?.type !== "AUTISTMASK_RESPONSE") return;
         const { id, result, error } = event.data;
@@ -24,7 +24,7 @@
     });
 
     // Listen for events pushed from the extension
-    window.addEventListener("message", (event) => {
+    window.addEventListener("message", function onUuid(event) {
         if (event.source !== window) return;
         if (event.data?.type !== "AUTISTMASK_EVENT") return;
         const { eventName, data } = event.data;
@@ -134,7 +134,7 @@
         // Some dApps (wagmi) check this to confirm MetaMask-like behavior
         _metamask: {
             isUnlocked() {
-                return Promise.resolve(true);
+                return Promise.resolve(provider.selectedAddress !== null);
             },
         },
     };
@@ -155,21 +155,38 @@
                 "</svg>",
         );
 
-    const providerInfo = {
-        uuid: "f3c5b2a1-8d4e-4f6a-9c7b-1e2d3a4b5c6d",
+    let providerUuid = crypto.randomUUID(); // fallback until real UUID arrives
+
+    function buildProviderInfo() {
+        return {
+            uuid: providerUuid,
             name: "AutistMask",
             icon: ICON_SVG,
             rdns: "berlin.sneak.autistmask",
         };
+    }
 
     function announceProvider() {
         window.dispatchEvent(
             new CustomEvent("eip6963:announceProvider", {
-                detail: Object.freeze({ info: providerInfo, provider }),
+                detail: Object.freeze({
+                    info: buildProviderInfo(),
+                    provider,
+                }),
             }),
         );
     }
 
+    // Listen for the persisted UUID from the content script
+    function onProviderUuid(event) {
+        if (event.source !== window) return;
+        if (event.data?.type !== "AUTISTMASK_PROVIDER_UUID") return;
+        window.removeEventListener("message", onProviderUuid);
+        providerUuid = event.data.uuid;
+        announceProvider();
+    }
+    window.addEventListener("message", onProviderUuid);
+
     window.addEventListener("eip6963:requestProvider", announceProvider);
     announceProvider();
 })();

src/shared/balances.js

@@ -192,6 +192,10 @@ async function lookupTokenInfo(contractAddress, rpcUrl) {
         name = symbol;
     }
 
+    // Truncate to prevent storage of excessively long values from RPC
+    name = String(name).slice(0, 64);
+    symbol = String(symbol).slice(0, 12);
+
     log.infof("Token resolved:", symbol, "decimals", Number(decimals));
     return { name, symbol, decimals: Number(decimals) };
 }