Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Self-Relay Implementation Status✅ What Works
❌ Vercel Deployment IssuesThe deployment fails with Root CauseThe beta Attempted Fixes (None Worked)
Why warp-ui-template WorksThe warp-ui-template does not use 📋 Recommended Courses of Action
🔧 Technical Notes
This comment summarizes findings from debugging session on 2024-12-25 |
paulbalaji
force-pushed
the
pb/selfrelay
branch
from
3604b9e to
cb80917
Compare
paulbalaji
changed the base branch from
main
to
pbio/perf-beta-package-surfaces
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
paulbalaji
force-pushed
the
pbio/perf-beta-package-surfaces
branch
from
2413241 to
65e4452
Compare
paulbalaji
force-pushed
the
pb/selfrelay
branch
from
ed5024b to
cc431f8
Compare
| if (first === 192 && second === 168) return true; | ||
| if (first === 172 && second >= 16 && second <= 31) return true; | ||
|
|
||
| return false; |
There was a problem hiding this comment.
SSRF bypass via IPv6-mapped IPv4 addresses
High Severity
The hasBlockedHostname function doesn't block IPv6-mapped IPv4 addresses like ::ffff:127.0.0.1 or ::ffff:10.0.0.1. After the net.isIP check identifies these as IPv6 (returning 6), they don't match the explicit ::1, fc/fd, or fe80: checks. Then the .split('.').map(Number) logic produces NaN for the first element (e.g. '::ffff:127'), so all IPv4-range comparisons (first === 127, etc.) fail. This allows proxying requests to internal/loopback services via the IPv6-mapped representation.
Reviewed by Cursor Bugbot for commit 14b4ee7. Configure here.
|
|
||
| return { | ||
| relay: mutation.mutate, | ||
| relayAsync: mutation.mutateAsync, |
There was a problem hiding this comment.
Unused relayAsync export is dead code
Low Severity
relayAsync (wrapping mutation.mutateAsync) is exported from useSelfRelay but is never consumed anywhere in the codebase. Only relay (mutation.mutate) is actually used by SelfRelayButton. This is dead code that adds unnecessary API surface.
Reviewed by Cursor Bugbot for commit 14b4ee7. Configure here.
|
|
||
| parsed.search = ''; | ||
| retainedParams.forEach(([key, value]) => parsed.searchParams.append(key, value)); | ||
|
|
There was a problem hiding this comment.
RPC proxy header values not sanitized against injection
Medium Severity
The stripCustomRpcHeaders function forwards user-controlled custom_rpc_header query parameters as arbitrary HTTP headers to the upstream server with no header-name blocklist. An attacker can set sensitive headers like Host, X-Forwarded-For, Authorization, or Cookie on requests to any allowed upstream, enabling request smuggling or header injection attacks through this unauthenticated proxy endpoint.
Reviewed by Cursor Bugbot for commit db05dfd. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
There are 5 total unresolved issues (including 3 from previous reviews).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit a14dd23. Configure here.
| penalty: getRpcPenalty(rpcUrl.http), | ||
| })) | ||
| .sort((a, b) => a.penalty - b.penalty || a.index - b.index) | ||
| .map(({ rpcUrl }) => rpcUrl); |
There was a problem hiding this comment.
Redundant filtering makes normalizeRpcUrls sort a no-op
Low Severity
normalizeRpcUrls calls filterPreferredRpcUrls first, which removes all deprioritized URLs (penalty > 0). It then calls getRpcPenalty on the already-filtered results — where every item has penalty 0 — making the .sort() by penalty meaningless. The sort-by-penalty logic can never differentiate any items, so it's dead code that only preserves insertion order.
Reviewed by Cursor Bugbot for commit a14dd23. Configure here.
| } | ||
|
|
||
| const signer = await getEthersSigner(connector); | ||
| if (!signer) throw new Error('Could not get wallet signer'); |
There was a problem hiding this comment.
Signer fetched after chain switch may be stale
Medium Severity
After switchChainAsync completes, getEthersSigner(connector) is called with the connector reference captured before the chain switch. The connector's underlying provider may not yet reflect the new chain, potentially producing a signer connected to the wrong network. The signer retrieval needs to occur after the connector has fully settled on the new chain.
Reviewed by Cursor Bugbot for commit a14dd23. Configure here.
|
Quick status update on the latest preview: We do not appear to be hitting the earlier size-related failure anymore. The preview now gets through the previous transport/bundle path and fails later in the self-relay flow. The remaining blocker is still metadata construction for some messages. The current failure mode is the relayer returning I’m continuing to narrow that down, but wanted to note that this no longer looks like the original size issue. |
paulbalaji
force-pushed
the
pbio/perf-beta-package-surfaces
branch
2 times, most recently
from
5e36845 to
5677acf
Compare
1 participant
Summary
Self relayaction on pending and failing EVM-to-EVM messageswindow.ethereumdirectlyWhy stack on #301
This PR originally depended on beta Hyperlane packages and a pile of Vercel/EMFILE workarounds. Rebasing it onto #301 keeps the feature on top of the stable dependency bump and the metadata-first, EVM-only runtime path that is already green, so this PR now carries the self-relay feature itself instead of reintroducing the old beta package surface and build-trace issues.
Dependencies
@hyperlane-xyz/core@11.3.1@hyperlane-xyz/relayer@1.1.23@hyperlane-xyz/sdk@32.0.0@hyperlane-xyz/widgets@32.0.0@rainbow-me/rainbowkit@2.2.0wagmi@2.13.0viem@2.39.3@wagmi/connectors@5.5.0Validation
pnpm run typecheckpnpm run lintpnpm run buildNotes
pnpm run teststill fails on cleanpr-301too because Jest is missingjest-environment-jsdom, and the PI query tests currently choke on ESM in@hyperlane-xyz/tron-sdk. Those failures were not introduced by this PR.🤖 Generated with Claude Code
Note
Medium Risk
Adds new server-side proxy endpoints and client-side relaying/wallet flows; although the RPC proxy includes hostname/IP allowlisting, mistakes here could enable SSRF or break RPC/relay behavior.
Overview
Restores EVM self-relay in the explorer UI: a new
SelfRelayButtonappears on pending/failing destination cards for EVM→EVM messages and uses the connected wallet (with automatic chain switching) to submit the relay transaction.Introduces wallet connectivity via RainbowKit/wagmi (
EvmWalletContext,ConnectWalletButton) and wires it into the app shell and header; addsNEXT_PUBLIC_WALLET_CONNECT_IDconfig to enable WalletConnect.Adds browser-safe network access helpers: new
/api/rpc-proxy(POST JSON-RPC proxy with hostname/IP blocking and optional header extraction) and/api/s3-proxy(GET-only allowlisted S3 JSON proxy), plus client helpers that proxy/normalize chain RPC URLs and patch the SDK’s S3 validator fetches to go through the proxy.Reviewed by Cursor Bugbot for commit a14dd23. Bugbot is set up for automated code reviews on this repo. Configure here.