From 34cfb2ade3e7d6db0612389d02e047b9c9da8979 Mon Sep 17 00:00:00 2001 From: Vladyslav Dalechyn Date: Tue, 10 Sep 2024 14:04:38 +0300 Subject: [PATCH] fix: untrusted composer data parsing (#484) * fix: parsing of untrusted composer action data * chore: changesets --- .changeset/strong-needles-bake.md | 5 +++++ src/utils/requestBodyToComposerActionBaseContext.ts | 12 ++++++++++-- src/utils/verifyComposerAction.ts | 10 ++++++++-- 3 files changed, 23 insertions(+), 4 deletions(-) create mode 100644 .changeset/strong-needles-bake.md diff --git a/.changeset/strong-needles-bake.md b/.changeset/strong-needles-bake.md new file mode 100644 index 00000000..7f4d59d3 --- /dev/null +++ b/.changeset/strong-needles-bake.md @@ -0,0 +1,5 @@ +--- +"frog": patch +--- + +Fixed an issue with parsing Composer Action data when verified is `false`. diff --git a/src/utils/requestBodyToComposerActionBaseContext.ts b/src/utils/requestBodyToComposerActionBaseContext.ts index 492c5b9e..9009dcbe 100644 --- a/src/utils/requestBodyToComposerActionBaseContext.ts +++ b/src/utils/requestBodyToComposerActionBaseContext.ts @@ -4,7 +4,10 @@ import type { ComposerActionBaseContext } from '../types/context.js' import type { Env } from '../types/env.js' import type { Hub } from '../types/hub.js' import { getRequestUrl } from './getRequestUrl.js' -import { verifyComposerAction } from './verifyComposerAction.js' +import { + parseComposerActionDataState, + verifyComposerAction, +} from './verifyComposerAction.js' type RequestBodyToComposerActionBaseContextOptions = { hub?: Hub | undefined @@ -35,6 +38,11 @@ export async function requestBodyToComposerActionBaseContext< const url = getRequestUrl(c.req) + const untrustedComposerActionData = (() => { + const state = parseComposerActionDataState(untrustedData.state) + return { ...untrustedData, state } + })() + const trustedComposerActionData = await (async () => { if (verify === false) return null if (!trustedData) return null @@ -56,7 +64,7 @@ export async function requestBodyToComposerActionBaseContext< return { env: c.env, - actionData: trustedComposerActionData || untrustedData, + actionData: trustedComposerActionData || untrustedComposerActionData, req: c.req, var: c.var, verified: Boolean(trustedComposerActionData), diff --git a/src/utils/verifyComposerAction.ts b/src/utils/verifyComposerAction.ts index ecb45c5b..eda77c7c 100644 --- a/src/utils/verifyComposerAction.ts +++ b/src/utils/verifyComposerAction.ts @@ -21,7 +21,13 @@ export async function verifyComposerAction( } //////////////////////////////////////////////////////////////////// -// Utilties +// Utilities + +export function parseComposerActionDataState( + state: string, +): ComposerActionData['state'] { + return JSON.parse(decodeURIComponent(state)) +} export function messageToComposerActionData( message: Message, @@ -32,7 +38,7 @@ export function messageToComposerActionData( messageHash: bytesToHex(message.hash), network: message.data?.network!, timestamp: message.data?.timestamp!, - state: JSON.parse(decodeURIComponent(bytesToString(frameActionBody.state))), + state: parseComposerActionDataState(bytesToString(frameActionBody.state)), url: bytesToString(frameActionBody.url), buttonIndex: frameActionBody.buttonIndex as any, }