Merge branch 'develop' into 17191/onboarding-unit-tests

.iyarc

@@ -15,3 +15,7 @@ GHSA-6fc8-4gx4-v693
 # patched version of 3.3.1. We can remove this once the
 # smart-transaction-controller updates its dependency.
 GHSA-8gh8-hqwg-xf34
+
+# request library is subject to SSRF.
+# addressed by temporary patch in .yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
+GHSA-p8p7-x288-28g6

.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch

@@ -0,0 +1,31 @@
+diff --git a/lib/redirect.js b/lib/redirect.js
+index b9150e77c73d63367845c0aec15b5684d900943f..2864f9f2abc481ecf2b2dd96b1293f5b93393efd 100644
+--- a/lib/redirect.js
++++ b/lib/redirect.js
+@@ -14,6 +14,7 @@ function Redirect (request) {
+   this.redirects = []
+   this.redirectsFollowed = 0
+   this.removeRefererHeader = false
++  this.allowInsecureRedirect = false
+ }
+
+ Redirect.prototype.onRequest = function (options) {
+@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) {
+   if (options.followOriginalHttpMethod !== undefined) {
+     self.followOriginalHttpMethod = options.followOriginalHttpMethod
+   }
++  if (options.allowInsecureRedirect !== undefined) {
++    self.allowInsecureRedirect = options.allowInsecureRedirect
++  }
+ }
+
+ Redirect.prototype.redirectTo = function (response) {
+@@ -108,7 +112,7 @@ Redirect.prototype.onResponse = function (response) {
+   request.uri = url.parse(redirectTo)
+
+   // handle the case where we change protocol from https to http or vice versa
+-  if (request.uri.protocol !== uriPrev.protocol) {
++  if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) {
+     delete request.agent
+   }
+

app/scripts/lib/personal-message-manager.js

@@ -153,15 +153,6 @@ export default class PersonalMessageManager extends EventEmitter {
     const siwe = detectSIWE(msgParams);
     msgParams.siwe = siwe;
 
-    if (siwe.isSIWEMessage && req.origin) {
-      const { host } = new URL(req.origin);
-      if (siwe.parsedMessage.domain !== host) {
-        throw new Error(
-          `SIWE domain is not valid: "${host}" !== "${siwe.parsedMessage.domain}"`,
-        );
-      }
-    }
-
     // create txData obj with parameters and meta data
     const time = new Date().getTime();
     const msgId = createId();

app/scripts/lib/personal-message-manager.test.js

@@ -178,15 +178,5 @@ describe('Personal Message Manager', () => {
       const result2 = messageManager.getMsg(msgId2);
       expect(result2.msgParams.siwe.isSIWEMessage).toStrictEqual(false);
     });
-
-    it("should throw an error if the SIWE message's domain doesn't match", async () => {
-      const request = { origin: 'https://mismatched-domain.com' };
-      const { host: siweDomain } = new URL(origin);
-      const { host: browserDomain } = new URL(request.origin);
-      const expectedError = `SIWE domain is not valid: "${browserDomain}" !== "${siweDomain}"`;
-      await expect(async () => {
-        await messageManager.addUnapprovedMessage(msgParams, request);
-      }).rejects.toThrow(expectedError);
-    });
   });
 });