diff options
Diffstat (limited to 'app')
| -rw-r--r-- | app/phishing.html | 10 | ||||
| -rw-r--r-- | app/scripts/contentscript.js | 6 | ||||
| -rw-r--r-- | app/scripts/controllers/blacklist.js | 22 | ||||
| -rw-r--r-- | app/scripts/metamask-controller.js | 11 | ||||
| -rw-r--r-- | app/scripts/phishing-detect.js | 56 |
5 files changed, 101 insertions, 4 deletions
diff --git a/app/phishing.html b/app/phishing.html index eabb363b3..309021dc2 100644 --- a/app/phishing.html +++ b/app/phishing.html @@ -3,7 +3,7 @@ <html> <head> - <title>Dangerous Website Warning</title> + <title>Ethereum Phishing Detection - MetMask</title> <style> body { @@ -24,6 +24,8 @@ a { color: white; + cursor: pointer; + text-decoration: underline; } </style> @@ -57,7 +59,11 @@ <p>This is because the site tested positive on the <a href="https://github.com/metamask/eth-phishing-detect">Ethereum Phishing Detector</a>. This includes outright malicious websites and legitimate websites that have been compromised by a malicious actor.</p> <p id="esdbLink"></p> <p>You can turn MetaMask off to interact with this site, but it is advised not to.</p> - <p>If you think this domain is incorrectly flagged or if a blocked legitimate website has resolved its security issues, <a href="https://github.com/metamask/eth-phishing-detect/issues/new">please file an issue</a>.</p> + <p> + If you think this domain is incorrectly flagged or if a blocked legitimate website has resolved its security issues, + <a href="https://github.com/metamask/eth-phishing-detect/issues/new">please file an issue</a>. If you believe this website + is safe and understand the risks involved, you can <a id="unsafe-continue">visit this unsafe website at your own risk</a>. + </p> </div> </body> diff --git a/app/scripts/contentscript.js b/app/scripts/contentscript.js index 2cbfb811e..d870741d6 100644 --- a/app/scripts/contentscript.js +++ b/app/scripts/contentscript.js @@ -1,6 +1,7 @@ const fs = require('fs') const path = require('path') const pump = require('pump') +const querystring = require('querystring') const LocalMessageDuplexStream = require('post-message-stream') const PongStream = require('ping-pong-stream/pong') const ObjectMultiplex = require('obj-multiplex') @@ -199,5 +200,8 @@ function blacklistedDomainCheck () { function redirectToPhishingWarning () { console.log('MetaMask - routing to Phishing Warning component') const extensionURL = extension.runtime.getURL('phishing.html') - window.location.href = extensionURL + '#' + window.location.hostname + window.location.href = `${extensionURL}#${querystring.stringify({ + hostname: window.location.hostname, + href: window.location.href, + })}` } diff --git a/app/scripts/controllers/blacklist.js b/app/scripts/controllers/blacklist.js index 1d2191433..89c7cc888 100644 --- a/app/scripts/controllers/blacklist.js +++ b/app/scripts/controllers/blacklist.js @@ -29,6 +29,7 @@ class BlacklistController { constructor (opts = {}) { const initState = extend({ phishing: PHISHING_DETECTION_CONFIG, + whitelist: [], }, opts.initState) this.store = new ObservableStore(initState) // phishing detector @@ -39,6 +40,21 @@ class BlacklistController { } /** + * Adds the given hostname to the runtime whitelist + * @param {string} hostname the hostname to whitelist + */ + whitelistDomain (hostname) { + if (!hostname) { + return + } + + const { whitelist } = this.store.getState() + this.store.updateState({ + whitelist: [...new Set([hostname, ...whitelist])], + }) + } + + /** * Given a url, returns the result of checking if that url is in the store.phishing blacklist * * @param {string} hostname The hostname portion of a url; the one that will be checked against the white and @@ -48,6 +64,12 @@ class BlacklistController { */ checkForPhishing (hostname) { if (!hostname) return false + + const { whitelist } = this.store.getState() + if (whitelist.some((e) => e === hostname)) { + return false + } + const { result } = this._phishingDetector.check(hostname) return result } diff --git a/app/scripts/metamask-controller.js b/app/scripts/metamask-controller.js index 1f0527c7e..34ca80dd7 100644 --- a/app/scripts/metamask-controller.js +++ b/app/scripts/metamask-controller.js @@ -387,6 +387,9 @@ module.exports = class MetamaskController extends EventEmitter { setAccountLabel: nodeify(preferencesController.setAccountLabel, preferencesController), setFeatureFlag: nodeify(preferencesController.setFeatureFlag, preferencesController), + // BlacklistController + whitelistPhishingDomain: this.whitelistPhishingDomain.bind(this), + // AddressController setAddressBook: nodeify(addressBookController.setAddressBook, addressBookController), @@ -1541,4 +1544,12 @@ module.exports = class MetamaskController extends EventEmitter { } } } + + /** + * Adds a domain to the {@link BlacklistController} whitelist + * @param {string} hostname the domain to whitelist + */ + whitelistPhishingDomain (hostname) { + return this.blacklistController.whitelistDomain(hostname) + } } diff --git a/app/scripts/phishing-detect.js b/app/scripts/phishing-detect.js index 4168b6618..6baf868c0 100644 --- a/app/scripts/phishing-detect.js +++ b/app/scripts/phishing-detect.js @@ -1,5 +1,59 @@ window.onload = function() { if (window.location.pathname === '/phishing.html') { - document.getElementById('esdbLink').innerHTML = '<b>To read more about this scam, navigate to: <a href="https://etherscamdb.info/domain/' + window.location.hash.substring(1) + '"> https://etherscamdb.info/domain/' + window.location.hash.substring(1) + '</a></b>' + const {hostname} = parseHash() + document.getElementById('esdbLink').innerHTML = '<b>To read more about this scam, navigate to: <a href="https://etherscamdb.info/domain/' + hostname + '"> https://etherscamdb.info/domain/' + hostname + '</a></b>' } } + +const querystring = require('querystring') +const dnode = require('dnode') +const { EventEmitter } = require('events') +const PortStream = require('extension-port-stream') +const extension = require('extensionizer') +const setupMultiplex = require('./lib/stream-utils.js').setupMultiplex +const { getEnvironmentType } = require('./lib/util') +const ExtensionPlatform = require('./platforms/extension') + +document.addEventListener('DOMContentLoaded', start) + +function start () { + const windowType = getEnvironmentType(window.location.href) + + global.platform = new ExtensionPlatform() + global.METAMASK_UI_TYPE = windowType + + const extensionPort = extension.runtime.connect({ name: windowType }) + const connectionStream = new PortStream(extensionPort) + const mx = setupMultiplex(connectionStream) + setupControllerConnection(mx.createStream('controller'), (err, metaMaskController) => { + if (err) { + return + } + + const suspect = parseHash() + const unsafeContinue = () => { + window.location.href = suspect.href + } + const continueLink = document.getElementById('unsafe-continue') + continueLink.addEventListener('click', () => { + metaMaskController.whitelistPhishingDomain(suspect.hostname) + unsafeContinue() + }) + }) +} + +function setupControllerConnection (connectionStream, cb) { + const eventEmitter = new EventEmitter() + const accountManagerDnode = dnode({ + sendUpdate (state) { + eventEmitter.emit('update', state) + }, + }) + connectionStream.pipe(accountManagerDnode).pipe(connectionStream) + accountManagerDnode.once('remote', (accountManager) => cb(null, accountManager)) +} + +function parseHash () { + const hash = window.location.hash.substring(1) + return querystring.parse(hash) +} |