fix: Blind-signing bypass in EIP-712 FULL filtering activation

[cerberus-production]

Closes #981

Summary

Automated security fix for Blind-signing bypass in EIP-712 FULL filtering activation (High).

CWE: CWE-CWE-306
OWASP: A01:2021-Broken Access Control
Fix Confidence: high

What Changed

The vulnerability allows a malicious host to bypass blind-signing protections by sending P2_FILT_ACTIVATE to switch into FULL filtering mode, without ever providing verified filter metadata. In FULL mode, the signing check ui_712_remaining_filters() == 0 trivially passes because filters_to_process defaults to 0.

The fix adds a message_info_received boolean flag to the UI context:

1. In ui_logic.c: Added bool message_info_received field to t_ui_context struct. Set it to true in ui_712_set_filters_count(), which is only called from filtering_message_info() after successful cryptographic signature verification. Added getter ui_712_message_info_received().
2. In ui_logic.h: Declared the new ui_712_message_info_received() function.
3. In commands_712.c: Modified the FULL filtering check in handle_eip712_sign() to also require ui_712_message_info_received() to be true, preventing signing when no verified MESSAGE_INFO was processed.

Since the struct is allocated with APP_MEM_CALLOC (zero-initialization), message_info_received defaults to false, ensuring the gate is closed until a properly signed MESSAGE_INFO packet is processed.

Caveats

• The fix does not prevent the mode switch to FULL at P2_FILT_ACTIVATE time - it only blocks signing. This is intentional as a minimal fix: the mode switch itself is not harmful if signing is gated on verified metadata.
• If there are legitimate flows where FULL filtering mode should work without a MESSAGE_INFO packet, this fix would break them. However, based on the code analysis, filtering_message_info is the only function that sets filters_to_process via ui_712_set_filters_count, so FULL mode always requires it in normal operation.

Verification Checklist

• Review the code change
• Run tests to verify no regression
• Verify the vulnerability is addressed — already verified by Cerberus Sentinel

---

Created by Cerberus Merlin

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 55.02%. Comparing base (d0275cf) to head (f132072).
⚠️ Report is 29 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop     #982   +/-   ##
========================================
  Coverage    55.02%   55.02%           
========================================
  Files           16       16           
  Lines         1592     1592           
  Branches       198      195    -3     
========================================
  Hits           876      876           
+ Misses         680      678    -2     
- Partials        36       38    +2     

Flag	Coverage Δ
unittests	55.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.