Merge branch 'main' into ogp/5035

Author: OGPoyraz

.depcheckrc.yml

@@ -53,7 +53,6 @@ ignores:
   - 'improved-yarn-audit'
   - 'jetifier'
   - 'metro-react-native-babel-preset'
-  - 'octonode'
   - 'prettier-plugin-gherkin'
   - 'react-native-svg-asset-plugin'
   - 'regenerator-runtime'

.github/CODEOWNERS

@@ -53,6 +53,7 @@ app/components/UI/Card/              @MetaMask/card
 
 # Confirmation Team
 app/components/Views/confirmations                          @MetaMask/confirmations
+app/components/Views/confirmations/external/staking          @MetaMask/confirmations @MetaMask/metamask-earn                
 app/core/Engine/controllers/approval-controller             @MetaMask/confirmations
 app/core/Engine/controllers/gas-fee-controller              @MetaMask/confirmations
 app/core/Engine/controllers/signature-controller            @MetaMask/confirmations

.storybook/storybook.requires.js

@@ -7,6 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+- fix: Security vulnerability in RPC domain validation that could allow malicious domains to be misclassified as legitimate providers ([#17234](https://github.com/MetaMask/metamask-mobile/pull/17234))
+
 ## [7.50.1]
 
 ### Fixed

CHANGELOG.md

@@ -8,6 +8,7 @@ import {
 } from './';
 import { wordlist } from '@metamask/scure-bip39/dist/wordlists/english';
 import { createMockInternalAccount } from '../../util/test/accountsControllerTestUtils';
+import { TraceName, TraceOperation } from '../../util/trace';
 import ReduxService from '../../core/redux/ReduxService';
 import { RootState } from '../../reducers';
 
@@ -28,6 +29,12 @@ const mockControllerMessenger = jest.fn();
 const mockAddDiscoveredAccounts = jest.fn();
 const mockGetAccountByAddress = jest.fn().mockReturnValue(mockExpectedAccount);
 
+// Mock for seedless onboarding
+const mockSelectSeedlessOnboardingLoginFlow = jest.fn();
+const mockAddNewSeedPhraseBackup = jest.fn();
+const mockTrace = jest.fn();
+const mockEndTrace = jest.fn();
+
 const hdKeyring = {
   getAccounts: () => {
     mockGetAccounts();
@@ -43,6 +50,17 @@ const mockSnapClient = {
   addDiscoveredAccounts: mockAddDiscoveredAccounts,
 };
 
+jest.mock('../../selectors/seedlessOnboardingController', () => ({
+  selectSeedlessOnboardingLoginFlow: (state: unknown) =>
+    mockSelectSeedlessOnboardingLoginFlow(state),
+}));
+
+jest.mock('../../util/trace', () => ({
+  ...jest.requireActual('../../util/trace'),
+  trace: (options: unknown) => mockTrace(options),
+  endTrace: (options: unknown) => mockEndTrace(options),
+}));
+
 const createMockState = (hasVault: boolean) => ({
   engine: {
     backgroundState: {
@@ -81,7 +99,8 @@ jest.mock('../../core/Engine', () => ({
       getAccountByAddress: () => mockGetAccountByAddress(),
     },
     SeedlessOnboardingController: {
-      addNewSeedPhraseBackup: jest.fn().mockResolvedValue(undefined),
+      addNewSeedPhraseBackup: (seed: Uint8Array, keyringId: string) =>
+        mockAddNewSeedPhraseBackup(seed, keyringId),
     },
   },
   setSelectedAddress: (address: string) => mockSetSelectedAddress(address),
@@ -103,7 +122,11 @@ describe('MultiSRP Actions', () => {
   describe('importNewSecretRecoveryPhrase', () => {
     it('imports new SRP', async () => {
       mockGetKeyringsByType.mockResolvedValue([]);
-      mockAddNewKeyring.mockResolvedValue({ getAccounts: () => [testAddress] });
+      mockAddNewKeyring.mockResolvedValue({
+        getAccounts: () => [testAddress],
+        id: 'keyring-id-123',
+      });
+      mockSelectSeedlessOnboardingLoginFlow.mockReturnValue(false);
 
       await importNewSecretRecoveryPhrase(testMnemonic);
 
@@ -131,7 +154,74 @@ describe('MultiSRP Actions', () => {
       expect(mockAddNewKeyring).not.toHaveBeenCalled();
     });
 
+    describe('seedless onboarding login flow', () => {
+      beforeEach(() => {
+        mockGetKeyringsByType.mockResolvedValue([]);
+        mockAddNewKeyring.mockResolvedValue({
+          getAccounts: () => [testAddress],
+          id: 'keyring-id-123',
+        });
+        mockSelectSeedlessOnboardingLoginFlow.mockReturnValue(true);
+      });
+
+      it('successfully adds seed phrase backup when seedless onboarding is enabled', async () => {
+        mockAddNewSeedPhraseBackup.mockResolvedValue(undefined);
+
+        const result = await importNewSecretRecoveryPhrase(testMnemonic);
+
+        expect(mockSelectSeedlessOnboardingLoginFlow).toHaveBeenCalled();
+        expect(mockTrace).toHaveBeenCalledWith({
+          name: TraceName.OnboardingAddSrp,
+          op: TraceOperation.OnboardingSecurityOp,
+        });
+        expect(mockAddNewSeedPhraseBackup).toHaveBeenCalledWith(
+          expect.any(Uint8Array),
+          'keyring-id-123',
+        );
+        expect(mockEndTrace).toHaveBeenCalledWith({
+          name: TraceName.OnboardingAddSrp,
+          data: { success: true },
+        });
+        expect(mockSetSelectedAddress).toHaveBeenCalledWith(testAddress);
+        expect(result.address).toBe(testAddress);
+        expect(mockAddDiscoveredAccounts).toHaveBeenCalled();
+      });
+
+      it('handles error when seed phrase backup fails and traces error', async () => {
+        mockAddNewSeedPhraseBackup.mockRejectedValue(
+          new Error('Backup failed'),
+        );
+
+        await expect(
+          async () => await importNewSecretRecoveryPhrase(testMnemonic),
+        ).rejects.toThrow('Backup failed');
+
+        expect(mockSelectSeedlessOnboardingLoginFlow).toHaveBeenCalled();
+        expect(mockTrace).toHaveBeenCalledWith({
+          name: TraceName.OnboardingAddSrp,
+          op: TraceOperation.OnboardingSecurityOp,
+        });
+        expect(mockAddNewSeedPhraseBackup).toHaveBeenCalledWith(
+          expect.any(Uint8Array),
+          'keyring-id-123',
+        );
+        expect(mockTrace).toHaveBeenCalledWith({
+          name: TraceName.OnboardingAddSrpError,
+          op: TraceOperation.OnboardingError,
+          tags: { errorMessage: 'Backup failed' },
+        });
+        expect(mockEndTrace).toHaveBeenCalledWith({
+          name: TraceName.OnboardingAddSrpError,
+        });
+        expect(mockEndTrace).toHaveBeenCalledWith({
+          name: TraceName.OnboardingAddSrp,
+          data: { success: false },
+        });
+      });
+    });
+
     it('calls addNewSeedPhraseBackup when seedless onboarding login flow is active', async () => {
+      mockAddNewSeedPhraseBackup.mockResolvedValue(undefined);
       mockGetKeyringsByType.mockResolvedValue([]);
       mockAddNewKeyring.mockResolvedValue({
         id: 'test-keyring-id',
@@ -144,9 +234,10 @@ describe('MultiSRP Actions', () => {
 
       await importNewSecretRecoveryPhrase(testMnemonic);
 
-      expect(
-        Engine.context.SeedlessOnboardingController.addNewSeedPhraseBackup,
-      ).toHaveBeenCalledWith(expect.any(Uint8Array), 'test-keyring-id');
+      expect(mockAddNewSeedPhraseBackup).toHaveBeenCalledWith(
+        expect.any(Uint8Array),
+        'test-keyring-id',
+      );
     });
   });
 

app/actions/multiSrp/index.test.ts

@@ -4,22 +4,30 @@ import ExtendedKeyringTypes from '../../constants/keyringTypes';
 import Engine from '../../core/Engine';
 import { KeyringSelector } from '@metamask/keyring-controller';
 import { InternalAccount } from '@metamask/keyring-internal-api';
-///: BEGIN:ONLY_INCLUDE_IF(solana)
+///: BEGIN:ONLY_INCLUDE_IF(keyring-snaps)
 import {
   MultichainWalletSnapFactory,
   WalletClientType,
 } from '../../core/SnapKeyring/MultichainWalletSnapClient';
 ///: END:ONLY_INCLUDE_IF
+import {
+  ///: BEGIN:ONLY_INCLUDE_IF(solana)
+  SolScope,
+  ///: END:ONLY_INCLUDE_IF
+  ///: BEGIN:ONLY_INCLUDE_IF(bitcoin)
+  BtcScope,
+  ///: END:ONLY_INCLUDE_IF
+} from '@metamask/keyring-api';
 import {
   endPerformanceTrace,
   startPerformanceTrace,
 } from '../../core/redux/slices/performance';
 import { PerformanceEventNames } from '../../core/redux/slices/performance/constants';
 import { store } from '../../store';
-import { endTrace, trace, TraceName, TraceOperation } from '../../util/trace';
 import { getTraceTags } from '../../util/sentry/tags';
 
 import ReduxService from '../../core/redux';
+import { TraceName, TraceOperation, trace, endTrace } from '../../util/trace';
 import { selectSeedlessOnboardingLoginFlow } from '../../selectors/seedlessOnboardingController';
 
 export async function importNewSecretRecoveryPhrase(mnemonic: string) {
@@ -77,26 +85,61 @@ export async function importNewSecretRecoveryPhrase(mnemonic: string) {
     // on Error, wallet should notify user that the newly added seed phrase is not synced properly
     // user can try manual sync again (phase 2)
     const seed = new Uint8Array(inputCodePoints.buffer);
+    let addSeedPhraseSuccess = false;
     try {
+      trace({
+        name: TraceName.OnboardingAddSrp,
+        op: TraceOperation.OnboardingSecurityOp,
+      });
       await SeedlessOnboardingController.addNewSeedPhraseBackup(
         seed,
         newKeyring.id,
       );
+      addSeedPhraseSuccess = true;
     } catch (error) {
+      const errorMessage =
+        error instanceof Error ? error.message : 'Unknown error';
       // Log the error but don't let it crash the import process
-      console.error('Failed to backup seed phrase:', error);
+      console.error('Failed to backup seed phrase:', errorMessage);
+
+      trace({
+        name: TraceName.OnboardingAddSrpError,
+        op: TraceOperation.OnboardingError,
+        tags: { errorMessage },
+      });
+      endTrace({
+        name: TraceName.OnboardingAddSrpError,
+      });
+
+      throw error;
+    } finally {
+      endTrace({
+        name: TraceName.OnboardingAddSrp,
+        data: { success: addSeedPhraseSuccess },
+      });
     }
   }
 
   let discoveredAccountsCount = 0;
 
+  ///: BEGIN:ONLY_INCLUDE_IF(bitcoin)
+  const bitcoinMultichainClient = MultichainWalletSnapFactory.createClient(
+    WalletClientType.Bitcoin,
+  );
+  discoveredAccountsCount +=
+    await bitcoinMultichainClient.addDiscoveredAccounts(
+      newKeyring.id,
+      BtcScope.Mainnet,
+    );
+  ///: END:ONLY_INCLUDE_IF
+
   ///: BEGIN:ONLY_INCLUDE_IF(solana)
-  const multichainClient = MultichainWalletSnapFactory.createClient(
+  const solanaMultichainClient = MultichainWalletSnapFactory.createClient(
     WalletClientType.Solana,
   );
-
-  discoveredAccountsCount = await multichainClient.addDiscoveredAccounts(
+  discoveredAccountsCount += await solanaMultichainClient.addDiscoveredAccounts(
     newKeyring.id,
+    SolScope.Mainnet,
   );
   ///: END:ONLY_INCLUDE_IF
 

app/actions/multiSrp/index.ts

@@ -0,0 +1,25 @@
+import { MultichainAddressRowProps } from './MultichainAddressRow.types';
+import { ProviderConfig } from '../../../../selectors/networkController';
+
+export const SAMPLE_MULTICHAIN_ADDRESS_ROW_PROPS: MultichainAddressRowProps = {
+  network: {
+    nickname: 'Ethereum Mainnet',
+    chainId: '0x1',
+    ticker: 'ETH',
+    type: 'mainnet',
+    rpcPrefs: {},
+  } as ProviderConfig,
+  address: '0x1234567890123456789012345678901234567890',
+};
+
+export const MULTICHAIN_ADDRESS_ROW_TEST_ID = 'multichain-address-row';
+export const MULTICHAIN_ADDRESS_ROW_NETWORK_ICON_TEST_ID =
+  'multichain-address-row-network-icon';
+export const MULTICHAIN_ADDRESS_ROW_NETWORK_NAME_TEST_ID =
+  'multichain-address-row-network-name';
+export const MULTICHAIN_ADDRESS_ROW_ADDRESS_TEST_ID =
+  'multichain-address-row-address';
+export const MULTICHAIN_ADDRESS_ROW_COPY_BUTTON_TEST_ID =
+  'multichain-address-row-copy-button';
+export const MULTICHAIN_ADDRESS_ROW_QR_BUTTON_TEST_ID =
+  'multichain-address-row-qr-button';