Skip to content

Commit

Permalink
fix: untrusted composer data parsing (#484)
Browse files Browse the repository at this point in the history 
* fix: parsing of untrusted composer action data

* chore: changesets
  • Loading branch information
@dalechyn
dalechyn authored Sep 10, 2024
1 parent 84c4330 commit 34cfb2a
Show file tree
Hide file tree
Showing 3 changed files with 23 additions and 4 deletions.
5 changes: 5 additions & 0 deletions .changeset/strong-needles-bake.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"frog": patch
---

Fixed an issue with parsing Composer Action data when verified is `false`.
12 changes: 10 additions & 2 deletions src/utils/requestBodyToComposerActionBaseContext.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,10 @@ import type { ComposerActionBaseContext } from '../types/context.js'
import type { Env } from '../types/env.js'
import type { Hub } from '../types/hub.js'
import { getRequestUrl } from './getRequestUrl.js'
import { verifyComposerAction } from './verifyComposerAction.js'
import {
parseComposerActionDataState,
verifyComposerAction,
} from './verifyComposerAction.js'

type RequestBodyToComposerActionBaseContextOptions = {
hub?: Hub | undefined
Expand Down Expand Up @@ -35,6 +38,11 @@ export async function requestBodyToComposerActionBaseContext<

const url = getRequestUrl(c.req)

const untrustedComposerActionData = (() => {
const state = parseComposerActionDataState(untrustedData.state)
return { ...untrustedData, state }
})()

const trustedComposerActionData = await (async () => {
if (verify === false) return null
if (!trustedData) return null
Expand All @@ -56,7 +64,7 @@ export async function requestBodyToComposerActionBaseContext<

return {
env: c.env,
actionData: trustedComposerActionData || untrustedData,
actionData: trustedComposerActionData || untrustedComposerActionData,
req: c.req,
var: c.var,
verified: Boolean(trustedComposerActionData),
Expand Down
10 changes: 8 additions & 2 deletions src/utils/verifyComposerAction.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,13 @@ export async function verifyComposerAction(
}

////////////////////////////////////////////////////////////////////
// Utilties
// Utilities

export function parseComposerActionDataState(
state: string,
): ComposerActionData['state'] {
return JSON.parse(decodeURIComponent(state))
}

export function messageToComposerActionData(
message: Message,
Expand All @@ -32,7 +38,7 @@ export function messageToComposerActionData(
messageHash: bytesToHex(message.hash),
network: message.data?.network!,
timestamp: message.data?.timestamp!,
state: JSON.parse(decodeURIComponent(bytesToString(frameActionBody.state))),
state: parseComposerActionDataState(bytesToString(frameActionBody.state)),
url: bytesToString(frameActionBody.url),
buttonIndex: frameActionBody.buttonIndex as any,
}
Expand Down

0 comments on commit 34cfb2a

Please sign in to comment.