Merge branch 'main' into fix/low-severity-security

fix(L5): truncate token name/symbol from RPC responses
Limits token name to 64 chars and symbol to 12 chars to prevent storage of excessively long values from malicious contracts.
2026-02-27 20:58:09 +01:00 · 2026-02-27 11:42:18 -08:00 · 2026-02-27 11:42:15 -08:00 · 2026-02-27 11:42:11 -08:00
2 changed files with 5 additions and 7 deletions
--- a/src/content/index.js
+++ b/src/content/index.js
@@ -26,7 +26,7 @@ if (typeof browser !== "undefined") {
            uuid = crypto.randomUUID();
            storage.set({ eip6963Uuid: uuid });
        }
-        window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, location.origin);
+        window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*");
    });
 })();

--- a/src/content/inpage.js
+++ b/src/content/inpage.js
@@ -9,7 +9,7 @@
    const pending = {};

    // Listen for responses from the content script
-    window.addEventListener("message", function onUuid(event) {
+    window.addEventListener("message", (event) => {
        if (event.source !== window) return;
        if (event.data?.type !== "AUTISTMASK_RESPONSE") return;
        const { id, result, error } = event.data;
@@ -24,7 +24,7 @@
    });

    // Listen for events pushed from the extension
-    window.addEventListener("message", function onUuid(event) {
+    window.addEventListener("message", (event) => {
        if (event.source !== window) return;
        if (event.data?.type !== "AUTISTMASK_EVENT") return;
        const { eventName, data } = event.data;
@@ -178,14 +178,12 @@
    }

    // Listen for the persisted UUID from the content script
-    function onProviderUuid(event) {
+    window.addEventListener("message", (event) => {
        if (event.source !== window) return;
        if (event.data?.type !== "AUTISTMASK_PROVIDER_UUID") return;
-        window.removeEventListener("message", onProviderUuid);
        providerUuid = event.data.uuid;
        announceProvider();
-    }
-    window.addEventListener("message", onProviderUuid);
+    });

    window.addEventListener("eip6963:requestProvider", announceProvider);
    announceProvider();
Author	SHA1	Message	Date
Jeffrey Paul	cabf8311e5	Merge branch 'main' into fix/low-severity-security All checks were successful check / check (push) Successful in 22s Details	2026-02-27 20:58:09 +01:00
clawbot	fbcb679bcf	fix(L5): truncate token name/symbol from RPC responses All checks were successful check / check (push) Successful in 22s Details Limits token name to 64 chars and symbol to 12 chars to prevent storage of excessively long values from malicious contracts.	2026-02-27 11:42:18 -08:00
clawbot	aa15f771d5	fix(L4): generate EIP-6963 provider UUID at install time UUID is generated once via crypto.randomUUID(), persisted in chrome.storage.local, and sent from the content script to the inpage script via postMessage.	2026-02-27 11:42:15 -08:00
clawbot	571f2d6906	fix(L3): isUnlocked() returns false when no accounts exposed _metamask.isUnlocked() now checks provider.selectedAddress instead of always returning true.	2026-02-27 11:42:11 -08:00