Merge branch 'main' into fix/low-severity-security

Limits token name to 64 chars and symbol to 12 chars to prevent
storage of excessively long values from malicious contracts.

src/content/index.js

@@ -13,6 +13,23 @@ if (typeof browser !== "undefined") {
     (document.head || document.documentElement).appendChild(script);
 }
 
+// Send the persisted EIP-6963 provider UUID to the inpage script.
+// Generated once at install time and stored in chrome.storage.local.
+(function sendProviderUuid() {
+    const storage =
+        typeof browser !== "undefined"
+            ? browser.storage.local
+            : chrome.storage.local;
+    storage.get("eip6963Uuid", (items) => {
+        let uuid = items?.eip6963Uuid;
+        if (!uuid) {
+            uuid = crypto.randomUUID();
+            storage.set({ eip6963Uuid: uuid });
+        }
+        window.postMessage({ type: "AUTISTMASK_PROVIDER_UUID", uuid }, "*");
+    });
+})();
+
 // Relay requests from the page to the background script
 window.addEventListener("message", (event) => {
     if (event.source !== window) return;

src/content/inpage.js

@@ -134,7 +134,7 @@
         // Some dApps (wagmi) check this to confirm MetaMask-like behavior
         _metamask: {
             isUnlocked() {
-                return Promise.resolve(true);
+                return Promise.resolve(provider.selectedAddress !== null);
             },
         },
     };
@@ -155,21 +155,36 @@
                 "</svg>",
         );
 
-    const providerInfo = {
+    let providerUuid = crypto.randomUUID(); // fallback until real UUID arrives
-        uuid: "f3c5b2a1-8d4e-4f6a-9c7b-1e2d3a4b5c6d",
+
-        name: "AutistMask",
+    function buildProviderInfo() {
-        icon: ICON_SVG,
+        return {
-        rdns: "berlin.sneak.autistmask",
+            uuid: providerUuid,
-    };
+            name: "AutistMask",
+            icon: ICON_SVG,
+            rdns: "berlin.sneak.autistmask",
+        };
+    }
 
     function announceProvider() {
         window.dispatchEvent(
             new CustomEvent("eip6963:announceProvider", {
-                detail: Object.freeze({ info: providerInfo, provider }),
+                detail: Object.freeze({
+                    info: buildProviderInfo(),
+                    provider,
+                }),
             }),
         );
     }
 
+    // Listen for the persisted UUID from the content script
+    window.addEventListener("message", (event) => {
+        if (event.source !== window) return;
+        if (event.data?.type !== "AUTISTMASK_PROVIDER_UUID") return;
+        providerUuid = event.data.uuid;
+        announceProvider();
+    });
+
     window.addEventListener("eip6963:requestProvider", announceProvider);
     announceProvider();
 })();

src/shared/balances.js

@@ -192,6 +192,10 @@ async function lookupTokenInfo(contractAddress, rpcUrl) {
         name = symbol;
     }
 
+    // Truncate to prevent storage of excessively long values from RPC
+    name = String(name).slice(0, 64);
+    symbol = String(symbol).slice(0, 12);
+
     log.infof("Token resolved:", symbol, "decimals", Number(decimals));
     return { name, symbol, decimals: Number(decimals) };
 }