Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: restrict safe pass safe app access for ofac blocked addresses #4066

Merged
merged 8 commits into from
Oct 14, 2024
Merged

feat: restrict safe pass safe app access for ofac blocked addresses #4066

merged 8 commits into from
Oct 14, 2024

Conversation

schmanu
Copy link
Member

@schmanu schmanu commented Aug 13, 2024
edited
Loading

What this PR changes

  • Reuses ofac detection for Safe{Pass} Safe app
  • Reject WalletConnect request from Safe{Pass} for sanctioned addresses.

How to test it

  • Impersonate a blocked address
    • Try to open the Safe{Pass} app (community.safe.global)
    • Try to connect via WalletConnect to community.safe.global

Screenshots

Screenshot 2024-08-13 at 17 57 00

Open Task

Checklist

  • I've tested the branch on mobile 📱
  • I've documented how it affects the analytics (if at all) 📊
  • I've written a unit/e2e test for it (if applicable) 🧑‍💻

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 13, 2024
edited
Loading

Branch preview

✅ Deploy successful!

Website:
https://feat_safe_pass_ofac_check--walletweb.review.5afe.dev/home?safe=eth:0xA77DE01e157f9f57C7c4A326eeE9C4874D0598b6

Storybook:
https://feat_safe_pass_ofac_check--walletweb.review.5afe.dev/storybook/

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 13, 2024
edited
Loading

ESLint Summary View Full Report

Annotations are provided inline on the Files Changed tab. You can also see all annotations that were generated on the annotations page.

Type Occurrences Fixable
Errors 0 0
Warnings 0 0
Ignored 0 N/A
  • Result: ✅ success
  • Annotations: 0 total
Report generated by eslint-plus-action

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 13, 2024
edited
Loading

📦 Next.js Bundle Analysis for safe-wallet-web

This analysis was generated by the Next.js Bundle Analysis action. 🤖

⚠️ Global Bundle Size Increased

Page Size (compressed)
global 961.24 KB (🟡 +12 B)
Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

Five Pages Changed Size

The following pages changed size from the code in this PR compared to its base branch:

Page Size (compressed) First Load
/apps/open 55.18 KB (🟡 +1.99 KB) 1016.42 KB
/balances 30.94 KB (🟡 +5 B) 992.18 KB
/home 58.24 KB (🟡 +41 B) 1019.48 KB
/stake 597 B (🟢 -5 B) 961.82 KB
/swap 733 B (🟡 +1 B) 961.96 KB
Details

Only the gzipped size is provided here based on an expert tip.

First Load is the size of the global bundle plus the bundle for the individual page. If a user were to show up to your website and land on a given page, the first load size represents the amount of javascript that user would need to download. If next/link is used, subsequent page loads would only need to download that page's bundle (the number in the "Size" column), since the global bundle has already been downloaded.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

Next to the size is how much the size has increased or decreased compared with the base branch of this PR. If this percentage has increased by 20% or more, there will be a red status indicator applied, indicating that special attention should be given to this.

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 13, 2024
edited
Loading

Coverage report

St.
 Category Percentage Covered / Total
🟡 Statements
74.52% (+0.05% 🔼)
 12940/17365
🔴 Branches
52.84% (+0.01% 🔼)
 3118/5901
🔴 Functions
58.73% (+0.05% 🔼)
 1904/3242
🟡 Lines
76.23% (+0.05% 🔼)
 11756/15421
Show new covered files 🐣
St.
 File Statements Branches Functions Lines
🟢
... / useSanctionedAddress.ts
 100% 100% 100% 100%
🔴
... / index.tsx
 46.67% 0% 0% 53.85%
🟢
... / index.tsx
 62.5% 0% 0% 83.33%
Show files with reduced coverage 🔻
St.
 File Statements Branches Functions Lines
🟡
... / index.tsx
76.25% (+2.28% 🔼)
55.26% (-5.34% 🔻)
 40%
76.32% (+2.4% 🔼)

Test suite run success

1508 tests passing in 205 suites.

Report generated by 🧪jest coverage report action from de491bf

@notion-workspace Notion Workspace
Copy link

OFAC compliance for EOAs and countries

usame-algan
usame-algan reviewed Aug 14, 2024
View reviewed changes
src/hooks/useSanctionedAddress.ts
Comment on lines +14 to +19
if (isSafeSanctioned) {
return safeAddress
}
if (isWalletSanctioned) {
return wallet?.address
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

data contains the error message in case the useGetIsSanctionedQuery throws so I think it would falsely say that an address is sanctioned if the network request fails.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that is not true. The error seems to be transformed and returned in the error field of useGetIsSanctionedQuery

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is expected to either return a data or error field.
https://redux-toolkit.js.org/rtk-query/usage/customizing-queries#implementing-a-queryfn

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we remove the data assignment on error then inside the ofacApi query?

return { error: { status: 'CUSTOM_ERROR', data: (error as Error).message } }

@github-actions GitHub Actions
Copy link

github-actions bot commented Aug 15, 2024
edited
Loading

ESLint Summary View Full Report

Annotations are provided inline on the Files Changed tab. You can also see all annotations that were generated on the annotations page.

Type Occurrences Fixable
Errors 0 0
Warnings 0 0
Ignored 0 N/A
  • Result: ✅ success
  • Annotations: 0 total
Report generated by eslint-plus-action

@schmanu schmanu requested a review from katspaugh August 19, 2024 13:57
katspaugh
katspaugh reviewed Aug 19, 2024
View reviewed changes
src/components/safe-apps/AppFrame/index.tsx Outdated Show resolved Hide resolved
src/components/safe-apps/AppFrame/index.tsx Outdated Show resolved Hide resolved
src/features/walletconnect/components/WcProposalForm/index.tsx Outdated Show resolved Hide resolved
src/features/walletconnect/services/utils.ts
@@ -50,6 +50,10 @@ export const isBlockedBridge = (origin: string) => {
return BlockedBridges.some((bridge) => origin.includes(bridge))
}

export const isSafePassApp = (origin: string) => {
return origin.includes('community.safe.global')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we if not avoid hardcode then at least make it a constant?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use the constant SAFE_PASS_URL here?

@katspaugh
Copy link
Member

I think checking blocked addresses from within apps/open and WalletConnect is a bit excessive. It would be better if we just hide all links to this app, and inside the app itself check for blocked addresses (would have to port that hook there).

@schmanu
Copy link
Member Author

schmanu commented Aug 19, 2024

I think checking blocked addresses from within apps/open and WalletConnect is a bit excessive. It would be better if we just hide all links to this app, and inside the app itself check for blocked addresses (would have to port that hook there).

You cannot receive the connected wallet within the Safe app. We only get the safeAddress. That's why the check is within Safe{Wallet}.

@katspaugh
Copy link
Member

Geoblocking is now in place, so it would be good to hide the header widget if the app cannot be loaded.

@github-actions GitHub Actions
Copy link

ESLint Summary View Full Report

Annotations are provided inline on the Files Changed tab. You can also see all annotations that were generated on the annotations page.

Type Occurrences Fixable
Errors 0 0
Warnings 0 0
Ignored 0 N/A
  • Result: ✅ success
  • Annotations: 0 total
Report generated by eslint-plus-action

@usame-algan
Copy link
Member

Geoblocking is now in place, so it would be good to hide the header widget if the app cannot be loaded.

Should we do this in the scope of this PR? @schmanu

@schmanu
Copy link
Member Author

schmanu commented Oct 14, 2024

Geoblocking is now in place, so it would be good to hide the header widget if the app cannot be loaded.

Should we do this in the scope of this PR? @schmanu

This was already done separately: #4148

@schmanu schmanu merged commit 731bfe1 into dev Oct 14, 2024
15 checks passed
@schmanu schmanu deleted the feat/safe-pass-ofac-check branch October 14, 2024 11:16
@github-actions github-actions bot locked and limited conversation to collaborators Oct 14, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@usame-algan usame-algan usame-algan approved these changes

@katspaugh katspaugh Awaiting requested review from katspaugh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@schmanu @katspaugh @usame-algan