fix: canonicalize typed-sign data to prevent display/signing divergence#33187
fix: canonicalize typed-sign data to prevent display/signing divergence#33187jpuri wants to merge 4 commits into
Conversation
Duplicate JSON keys in eth_signTypedData_v3/v4 payloads could cause the UI regex-based value extraction to show a different amount than what JSON.parse produces at signing time. A malicious dapp could exploit this by placing a small decoy value before a nested object boundary and a large real value after it. Canonicalize the typed-data JSON via JSON.parse/JSON.stringify in generateRawSignature before passing it to SignatureController. This mirrors the normalizeTypedMessage step the extension performs via @metamask/eth-json-rpc-middleware.
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
🧪 Flaky unit test detectionRun history flaky detectionHistorical failure rate is a hint, not proof — review each suggestion in context. See the flaky-test-detection skill for the full pattern reference and manual audit workflow. Failures / runs sampled per window:
AI-detected flaky patterns
|
🔍 Smart E2E Test Selection
click to see 🤖 AI reasoning detailsE2E Test Selection: The test file adds unit tests covering: (1) duplicate key stripping, (2) last-occurrence value resolution, and (3) idempotent re-parsing. E2E impact: The SmokeConfirmations tag directly covers typed signature flows (V1, V3, V4) as confirmed by tests/smoke/confirmations/signatures/signatures-typed.spec.ts which tests TypedV1Sign, TypedV3Sign, and TypedV4Sign flows. The changed code path is exercised when a dApp sends eth_signTypedData_v3 or eth_signTypedData_v4 requests through the RPC middleware. No other user flows are affected: this is a targeted change in the RPC middleware layer for typed data signatures only. No UI components, navigation, account management, network selection, swap/stake/bridge flows, or browser functionality are modified. Performance Test Selection: |
|



Description
Improve typed sign validation in mobile.
Changelog
CHANGELOG entry:
Related issues
Fixes: https://consensyssoftware.atlassian.net/browse/CONF-1655
Manual testing steps
NA
Screenshots/Recordings
NA
Pre-merge author checklist
Performance checks (if applicable)
trace()for usage andaddTokenfor an exampleFor performance guidelines and tooling, see the Performance Guide.
Pre-merge reviewer checklist
Note
High Risk
Touches the signing path for typed-data RPC methods; incorrect canonicalization could change signed payloads, though the change is narrow and covered by regression tests.
Overview
Fixes a display vs signing mismatch for EIP-712 typed data on mobile by no longer forwarding the raw dapp JSON string into
SignatureController.canonicalizeTypedMessageDataround-trips the payload throughJSON.parse/JSON.stringify(invalid JSON is left unchanged). Duplicate keys collapse to the last value, aligning what the UI can derive with what signing uses—matching the extension’snormalizeTypedMessagebehavior.generateRawSignaturenow passes canonicalized data tonewUnsignedTypedMessagefor both v3 and v4.New middleware tests cover malicious duplicate-key payloads (e.g. two
message.valueentries separated by nested fields) foreth_signTypedData_v3andeth_signTypedData_v4.Reviewed by Cursor Bugbot for commit 291bc80. Bugbot is set up for automated code reviews on this repo. Configure here.