sneak/AutistMask
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: low-severity security findings L3, L4, L5 (closes #6) #8

Merged
sneak merged 7 commits from fix/low-severity-security into main 2026-02-27 23:19:09 +01:00
Conversation 5 Commits 7 Files Changed 3 +51 -10

7 Commits

Author SHA1 Message Date
Jeffrey Paul
cacf2c683c Merge branch 'main' into fix/low-severity-security
All checks were successful
check / check (push) Successful in 22s
Details
2026-02-27 23:18:53 +01:00
clawbot
4fdbc5adae fmt: prettier format content/index.js
All checks were successful
check / check (push) Successful in 21s
Details
2026-02-27 14:10:37 -08:00
Jeffrey Paul
85427e1fd4 Merge branch 'main' into fix/low-severity-security
Some checks failed
check / check (push) Failing after 13s
Details
2026-02-27 23:08:40 +01:00
user
27f16191b4 fix(L4): use location.origin for postMessage, one-shot UUID listener
Some checks failed
check / check (push) Failing after 13s
Details 
- Content script sends UUID via location.origin instead of "*"
- Inpage UUID listener removes itself after first message to prevent
  malicious pages from overriding the persisted UUID
 2026-02-27 11:58:57 -08:00
clawbot
909543e943 fix(L5): truncate token name/symbol from RPC responses 
Limits token name to 64 chars and symbol to 12 chars to prevent
storage of excessively long values from malicious contracts.
 2026-02-27 11:58:19 -08:00
clawbot
04a34d1a5e fix(L4): generate EIP-6963 provider UUID at install time 
UUID is generated once via crypto.randomUUID(), persisted in
chrome.storage.local, and sent from the content script to the
inpage script via postMessage.
 2026-02-27 11:58:19 -08:00
clawbot
98f68adb11 fix(L3): isUnlocked() returns false when no accounts exposed 
_metamask.isUnlocked() now checks provider.selectedAddress instead of
always returning true.
 2026-02-27 11:58:19 -08:00