fix: prevent subdomain confusion attacks in RPC domain validation (#17234)

Replace vulnerable `endsWith()` with secure dot-prefix validation to
prevent malicious domains like 'evilinfura.io' from being misclassified.

- Add `ALLOWED_PROVIDER_DOMAINS` constant for clear business logic
- Add `isAllowedProviderDomain()` with secure `endsWith('.${domain}')`
validation
- Simplify `extractRpcDomain()` provider validation logic
- Add comprehensive security tests and edge case coverage

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**

This PR fixes a security vulnerability where `extractRpcDomain()` used
vulnerable `endsWith()` checks that allowed subdomain confusion attacks.
Malicious domains like `evilinfura.io` or `fakealchemyapi.io` were
incorrectly classified as legitimate provider domains.

**What is the reason for the change?**
The security audit flagged "Incomplete URL substring sanitization"
because `endsWith('infura.io')` accepts any domain ending with those
characters, including malicious domains.

**What is the improvement/solution?**
Replaced vulnerable `endsWith('infura.io')` with secure
`endsWith('.infura.io')` validation. The dot prefix ensures only
legitimate subdomains are accepted:
- ✅ `mainnet.infura.io` ends with `.infura.io` → legitimate subdomain
- ❌ `evilinfura.io` does NOT end with `.infura.io` → blocked as
malicious

## **Changelog**

CHANGELOG entry: Fixed security vulnerability in RPC domain validation
that could allow malicious domains to be misclassified as legitimate
providers

## **Related issues**

Fixes: Security audit finding - "Incomplete URL substring sanitization"

## **Manual testing steps**

1. **Verify existing RPC domain tracking works**:
   - Submit transactions using default Infura RPC
- Check logs show `"rpc_domain": "mainnet.infura.io"` in MetaMetrics
events
- Confirm both "Transaction Approved" and "Transaction Finalized" events
include the property

2. **Security validation through unit tests**:
   - Run `yarn test app/util/rpc-domain-utils.test.ts` to verify:
- Legitimate domains work: `mainnet.infura.io` → `"mainnet.infura.io"`
     - Malicious domains blocked: `evilinfura.io` → `"private"`
     - The security fix prevents subdomain confusion attacks

3. **Verification summary**:
   - Manual testing confirms existing functionality is preserved
   - Unit tests validate the security vulnerability is fixed

## **Screenshots/Recordings**


https://github.com/user-attachments/assets/dcb9f1f0-a908-4de1-8a61-ab4aa41cde77

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [x] I’ve followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I’ve included tests if applicable
- [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [x] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [x] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

Author: httpJunkie

CHANGELOG.md

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- fix: Security vulnerability in RPC domain validation that could allow malicious domains to be misclassified as legitimate providers ([#17234](https://github.com/MetaMask/metamask-mobile/pull/17234))
+
 ## [7.50.1]
 
 ### Fixed

app/util/rpc-domain-utils.test.ts

@@ -303,7 +303,122 @@ describe('rpc-domain-utils', () => {
         expect(result).toBe('known-domain.com');
       });
     });
+
+    describe('Security tests for provider domain validation', () => {
+      beforeEach(async () => {
+        setupTestEnvironment();
+        const mockChains: SafeChain[] = [
+          {
+            chainId: '1',
+            name: 'Test Chain',
+            nativeCurrency: { symbol: 'TEST' },
+            rpc: ['https://known-domain.com/api'],
+          },
+        ];
+        (StorageWrapper.getItem as jest.Mock).mockResolvedValue(
+          JSON.stringify(mockChains),
+        );
+        await initializeRpcProviderDomains();
+      });
+
+      describe('Infura provider domain validation', () => {
+        it('returns domain for legitimate Infura domains and subdomains', () => {
+          expect(extractRpcDomain('https://infura.io')).toBe('infura.io');
+          expect(extractRpcDomain('https://mainnet.infura.io')).toBe(
+            'mainnet.infura.io',
+          );
+          expect(extractRpcDomain('https://goerli.infura.io')).toBe(
+            'goerli.infura.io',
+          );
+          expect(extractRpcDomain('https://api.infura.io')).toBe(
+            'api.infura.io',
+          );
+          expect(extractRpcDomain('https://v1.api.infura.io')).toBe(
+            'v1.api.infura.io',
+          );
+        });
+
+        it('returns private for malicious domains that end with infura.io but are not subdomains', () => {
+          expect(extractRpcDomain('https://evilinfura.io')).toBe('private');
+          expect(extractRpcDomain('https://malicious-infura.io')).toBe(
+            'private',
+          );
+          expect(extractRpcDomain('https://fakeinfura.io')).toBe('private');
+          expect(extractRpcDomain('https://notinfura.io')).toBe('private');
+        });
+      });
+
+      describe('Alchemy provider domain validation', () => {
+        it('returns domain for legitimate Alchemy domains and subdomains', () => {
+          expect(extractRpcDomain('https://alchemyapi.io')).toBe(
+            'alchemyapi.io',
+          );
+          expect(extractRpcDomain('https://eth-mainnet.alchemyapi.io')).toBe(
+            'eth-mainnet.alchemyapi.io',
+          );
+          expect(
+            extractRpcDomain('https://polygon-mainnet.alchemyapi.io'),
+          ).toBe('polygon-mainnet.alchemyapi.io');
+          expect(extractRpcDomain('https://eth.v2.alchemyapi.io')).toBe(
+            'eth.v2.alchemyapi.io',
+          );
+        });
+
+        it('returns private for malicious domains that end with alchemyapi.io but are not subdomains', () => {
+          expect(extractRpcDomain('https://evilalchemyapi.io')).toBe('private');
+          expect(extractRpcDomain('https://malicious-alchemyapi.io')).toBe(
+            'private',
+          );
+          expect(extractRpcDomain('https://fakealchemyapi.io')).toBe('private');
+          expect(extractRpcDomain('https://notalchemyapi.io')).toBe('private');
+        });
+      });
+
+      describe('Edge cases for provider domain validation', () => {
+        it('handles case sensitivity correctly', () => {
+          expect(extractRpcDomain('https://MAINNET.INFURA.IO')).toBe(
+            'mainnet.infura.io',
+          );
+          expect(extractRpcDomain('https://ETH-MAINNET.ALCHEMYAPI.IO')).toBe(
+            'eth-mainnet.alchemyapi.io',
+          );
+        });
+
+        it('returns private for domains with similar but different TLDs', () => {
+          expect(extractRpcDomain('https://mainnet.infura.com')).toBe(
+            'private',
+          );
+          expect(extractRpcDomain('https://eth-mainnet.alchemyapi.com')).toBe(
+            'private',
+          );
+        });
+
+        it('prevents subdomain confusion attacks (security fix validation)', () => {
+          // These domains would have passed the old endsWith check but should be blocked
+          const attackDomains = [
+            'https://evilinfura.io',
+            'https://maliciousinfura.io',
+            'https://fakeinfura.io',
+            'https://evilalchemyapi.io',
+            'https://maliciousalchemyapi.io',
+            'https://fakealchemyapi.io',
+          ];
+
+          attackDomains.forEach((domain) => {
+            expect(extractRpcDomain(domain)).toBe('private');
+          });
+        });
+
+        it('handles exact base domain matches', () => {
+          expect(extractRpcDomain('https://infura.io')).toBe('infura.io');
+          expect(extractRpcDomain('https://alchemyapi.io')).toBe(
+            'alchemyapi.io',
+          );
+        });
+      });
+    });
   });
+
   describe('getNetworkRpcUrl', () => {
     describe('when retrieving RPC URLs', () => {
       it('returns RPC URL from legacy format', () => {

app/util/rpc-domain-utils.ts

@@ -116,6 +116,26 @@ function parseDomain(url: string): string | undefined {
   }
 }
 
+// Allowed provider domains for RPC endpoint validation
+const ALLOWED_PROVIDER_DOMAINS = new Set(['infura.io', 'alchemyapi.io']);
+
+/**
+ * Check if a hostname is an allowed provider domain or legitimate subdomain
+ * @param hostname - The hostname to check
+ * @returns True if the hostname is allowed, false otherwise
+ */
+function isAllowedProviderDomain(hostname: string): boolean {
+  // Check exact match first
+  if (ALLOWED_PROVIDER_DOMAINS.has(hostname)) {
+    return true;
+  }
+
+  // Check if it's a legitimate subdomain of any allowed domain
+  return [...ALLOWED_PROVIDER_DOMAINS].some((allowedDomain) =>
+    hostname.endsWith(`.${allowedDomain}`),
+  );
+}
+
 /**
  * Extracts the domain from an RPC URL for analytics tracking
  * @param rpcUrl - The RPC URL to extract domain from
@@ -126,23 +146,22 @@ export function extractRpcDomain(rpcUrl: string): RpcDomainStatus | string {
   if (!domain) {
     return RpcDomainStatus.Invalid;
   }
+
   // Check if this is a known domain
   if (isKnownDomain(domain)) {
     return domain;
   }
-  // Special case for Infura subdomains - always return the actual domain
-  // even if not in the known domains list
-  if (domain.includes('infura.io')) {
-    return domain;
-  }
-  // Special case for Alchemy subdomains
-  if (domain.endsWith('alchemyapi.io')) {
+
+  // Check if it's an allowed provider domain (Infura, Alchemy, etc.)
+  if (isAllowedProviderDomain(domain)) {
     return domain;
   }
+
   // Special case for local/development nodes
   if (domain === 'localhost' || domain === '127.0.0.1') {
     return RpcDomainStatus.Private;
   }
+
   // For all other domains, return "private" for privacy
   return RpcDomainStatus.Private;
 }