From 53a1554738bac1efa3213e13be433670a1d3525f Mon Sep 17 00:00:00 2001 From: Jongsun Suh Date: Mon, 4 Mar 2024 13:40:58 -0500 Subject: [PATCH] fix: unnecessary, unsafe base-controller patch (#8808) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ## **Description** Removes a recently introduced base-controller patch that assigns the default argument `string` to the `AllowedAction` and `AllowedEvent` generic parameters of the class `RestrictedControllerMessenger`. This patch was created in https://github.com/MetaMask/metamask-mobile/commit/81e2d18d07ad2ef025e5ba088c3fff39a9a8e692 as part of an intended fix for the breaking changes introduced by `@metamask/base-controller` v4.0.0. The fix was accomplished by a later commit [`d3a1dc7` (#8607)](https://github.com/MetaMask/metamask-mobile/pull/8607/commits/d3a1dc7fdbcbd6c239eafa21d10720953207c24f), but the now-redundant patch was never removed. This patch is too dangerous to keep as is, because it negates the allowlist security we have in place for our controller-messengers. This potentially enables any messenger to access any external action or event without restrictions. The CI run shows that removing this patch does not break anything. This is because it's not actually affecting the code in any way (for now). TL;DR The patch is not only safe to remove -- it's unsafe not to remove. ## **Related issues** - Fixes issue introduced here https://github.com/MetaMask/metamask-mobile/pull/8607 - Patch was introduced as an intended fix for https://github.com/MetaMask/core/issues/3648. However, this issue is only relevant to the `ControllerMessenger.getRestrictedMessenger` method, and not to the `RestrictedControllerMessenger` class that is altered in the patch. ## **Manual testing steps** ## **Screenshots/Recordings** ## **Pre-merge author checklist** - [x] I’ve followed [MetaMask Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've clearly explained what problem this PR is solving and how it is solved. - [x] I've linked related issues - [ ] I've included manual testing steps - [x] I've included screenshots/recordings if applicable - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [x] I’ve properly set the pull request status: - [x] In case it's not yet "ready for review", I've set it to "draft". - [x] In case it's "ready for review", I've changed it from "draft" to "non-draft". ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --- patches/@metamask+base-controller+4.1.1.patch | 13 ------------- 1 file changed, 13 deletions(-) delete mode 100644 patches/@metamask+base-controller+4.1.1.patch diff --git a/patches/@metamask+base-controller+4.1.1.patch b/patches/@metamask+base-controller+4.1.1.patch deleted file mode 100644 index 72680b2b9b6..00000000000 --- a/patches/@metamask+base-controller+4.1.1.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/node_modules/@metamask/base-controller/dist/RestrictedControllerMessenger.d.ts b/node_modules/@metamask/base-controller/dist/RestrictedControllerMessenger.d.ts -index 423c1a9..5c62cb3 100644 ---- a/node_modules/@metamask/base-controller/dist/RestrictedControllerMessenger.d.ts -+++ b/node_modules/@metamask/base-controller/dist/RestrictedControllerMessenger.d.ts -@@ -15,7 +15,7 @@ import type { ActionConstraint, ActionHandler, ControllerMessenger, EventConstra - * @template AllowedEvent - A type union of the 'type' string for any allowed events. - * This must not include internal events that are in the messenger's namespace. - */ --export declare class RestrictedControllerMessenger { -+export declare class RestrictedControllerMessenger { - #private; - /** - * Constructs a restricted controller messenger