@keplr-wallet/background 0.10.23 → 0.10.24

package/src/phishing-list/messages.spec.ts

@@ -0,0 +1,104 @@
+import { CheckURLIsPhishingMsg } from "./messages";
+
+describe("Test phishing list service messages", () => {
+  test("Test CheckURLIsPhishingMsg", () => {
+    const tests: {
+      url: string;
+      invalid?: boolean;
+    }[] = [
+      {
+        url: "",
+        invalid: true,
+      },
+      {
+        url: ".",
+        invalid: true,
+      },
+      {
+        url: "..",
+        invalid: true,
+      },
+      {
+        url: ".test.",
+        invalid: true,
+      },
+      {
+        url: "..test",
+        invalid: true,
+      },
+      {
+        url: "test.com.",
+        invalid: true,
+      },
+      {
+        url: "test.com..",
+        invalid: true,
+      },
+      {
+        url: "asd.test.com.",
+        invalid: true,
+      },
+      {
+        url: "asd..test.com.",
+        invalid: true,
+      },
+      {
+        url: "http://",
+        invalid: true,
+      },
+      {
+        url: "https://.",
+        invalid: true,
+      },
+      {
+        url: "https://..",
+        invalid: true,
+      },
+      {
+        url: "https://.test.",
+        invalid: true,
+      },
+      {
+        url: "https://..test",
+        invalid: true,
+      },
+      {
+        url: "https://test.com.",
+      },
+      {
+        url: "https://test.com..",
+      },
+      {
+        url: "https://.test.com.",
+      },
+      {
+        url: "https://..test.com..",
+      },
+      {
+        url: "https://test..com",
+      },
+      {
+        url: "https://..test..com..",
+      },
+      {
+        url: "https://asd.test.com.",
+      },
+      {
+        url: "https://asd..test.com.",
+      },
+    ];
+
+    for (const test of tests) {
+      const msg = new CheckURLIsPhishingMsg();
+      // eslint-disable-next-line @typescript-eslint/ban-ts-comment
+      // @ts-ignore
+      msg.origin = test.url;
+
+      if ("invalid" in test) {
+        expect(() => msg.validateBasic()).toThrow();
+      } else {
+        expect(() => msg.validateBasic()).not.toThrow();
+      }
+    }
+  });
+});

package/src/phishing-list/messages.ts

@@ -0,0 +1,32 @@
+import { Message } from "@keplr-wallet/router";
+import { ROUTE } from "./constants";
+import { parseDomainUntilSecondLevel } from "./utils";
+
+export class CheckURLIsPhishingMsg extends Message<boolean> {
+  public static type() {
+    return "check-url-is-phishing";
+  }
+
+  constructor() {
+    super();
+  }
+
+  validateBasic(): void {
+    const url = new URL(this.origin);
+
+    // Will throw an error if url has not second level domain.
+    parseDomainUntilSecondLevel(url.origin);
+  }
+
+  approveExternal(): boolean {
+    return true;
+  }
+
+  route(): string {
+    return ROUTE;
+  }
+
+  type(): string {
+    return CheckURLIsPhishingMsg.type();
+  }
+}

package/src/phishing-list/service.spec.ts

@@ -0,0 +1,367 @@
+import { PhishingListService } from "./service";
+import Http from "http";
+
+const phishings = [
+  "keplr-vvallet-app.online",
+  "xn--kplr-vva.com",
+  "keplr-vvallet.tech",
+  "app-keplr-vvallet.online",
+  "keplr-vvallet-app.space",
+  "keplr-vvallet-app.host",
+  "app-keplr-vvallet.tech",
+  "app-keplr-vvallet.host",
+];
+
+const createMockServer = () => {
+  let queryCount = 0;
+
+  const server = Http.createServer((req, resp) => {
+    queryCount++;
+
+    // Most desired case
+    if (req.url === "/list1") {
+      resp.writeHead(200);
+      resp.end(phishings.join("\n"));
+      return;
+    }
+
+    // If some strange cases exist
+    if (req.url === "/list2") {
+      resp.writeHead(200);
+      let str = "";
+      for (let i = 0; i < phishings.length; i++) {
+        let phishing = phishings[i];
+
+        switch (i) {
+          case 0:
+            phishing = phishing + "\n";
+            break;
+          case 1:
+            // Windows line break
+            phishing = phishing + "\r\n";
+            break;
+          case 2:
+            phishing = phishing + ";";
+            break;
+          case 3:
+            phishing = phishing + ",";
+            break;
+          case 4:
+            phishing = phishing + "   ; ";
+            break;
+          case 5:
+            phishing = phishing + " ,  ";
+            break;
+          case 6:
+            phishing = "third-domain." + phishing;
+            break;
+          default:
+            phishing = `  ${phishing} `;
+        }
+
+        str += phishing;
+      }
+      resp.end(str);
+      return;
+    }
+
+    // Even if an invalid endpoint exists, only that endpoint should be ignored and proceeded.
+    // When second fetch, add other domain to test fetching interval.
+    if (req.url === "/list3") {
+      resp.writeHead(200);
+      let str = "";
+      for (let i = 0; i < phishings.length; i++) {
+        let phishing = phishings[i];
+
+        switch (i) {
+          case 0:
+            phishing = phishing + "\n";
+            break;
+          case 1:
+            phishing = phishing + ".\n";
+            break;
+          case 2:
+            phishing = "." + phishing + "\r\n";
+            break;
+          case 3:
+            phishing = "invalid;.." + phishing + "..;";
+            break;
+          case 4:
+            phishing = phishing + "/,";
+            break;
+          case 5:
+            phishing = phishing + "?test\n";
+            break;
+          case 6:
+            phishing = "third-domain." + phishing + "\n";
+            break;
+          default:
+            phishing = `  ${phishing} `;
+        }
+
+        str += phishing;
+      }
+      str += ";invalid";
+
+      if (queryCount === 2) {
+        str += ";added.domain";
+      }
+
+      resp.end(str);
+      return;
+    }
+
+    if (req.url === "/test-retry") {
+      if (queryCount % 3 === 0) {
+        resp.writeHead(400);
+        resp.end();
+        return;
+      }
+
+      resp.writeHead(200);
+      resp.end(phishings.slice(0, queryCount).join("\n"));
+      return;
+    }
+
+    throw new Error("invalid url");
+  });
+
+  server.listen();
+
+  const address = server.address();
+  if (!address || typeof address === "string") {
+    throw new Error("Failed to get address for server");
+  }
+  const port = address.port;
+
+  return {
+    port,
+    closeServer: () => {
+      server.close();
+    },
+    getQueryCount: () => {
+      return queryCount;
+    },
+  };
+};
+
+describe("Test phishing list service", () => {
+  let eachService: PhishingListService | undefined;
+  let port: number = -1;
+  let closeServer: (() => void) | undefined;
+  let getQueryCount: () => number;
+
+  beforeEach(() => {
+    const server = createMockServer();
+    port = server.port;
+    closeServer = server.closeServer;
+    getQueryCount = server.getQueryCount;
+  });
+
+  afterEach(() => {
+    if (eachService) {
+      eachService.stop();
+      eachService = undefined;
+    }
+
+    if (closeServer) {
+      closeServer();
+      closeServer = undefined;
+    }
+  });
+
+  const waitServiceInit = (service: PhishingListService) => {
+    return new Promise<void>((resolve) => {
+      if (service.hasInited) {
+        resolve();
+        return;
+      }
+
+      const intervalId = setInterval(() => {
+        if (service.hasInited) {
+          resolve();
+          clearInterval(intervalId);
+        }
+      }, 10);
+    });
+  };
+
+  const testCheckURLIsPhishing = (service: PhishingListService) => {
+    for (const phishing of phishings) {
+      expect(service.checkURLIsPhishing(`http://${phishing}`)).toBe(true);
+      expect(service.checkURLIsPhishing(`https://${phishing}`)).toBe(true);
+      expect(service.checkURLIsPhishing(`https://test.${phishing}`)).toBe(true);
+      expect(service.checkURLIsPhishing(`https://test.${phishing}.`)).toBe(
+        true
+      );
+      expect(service.checkURLIsPhishing(`https://test.${phishing}./`)).toBe(
+        true
+      );
+      expect(service.checkURLIsPhishing(`https://test.${phishing}..`)).toBe(
+        true
+      );
+      expect(service.checkURLIsPhishing(`https://test.${phishing}../`)).toBe(
+        true
+      );
+      expect(
+        service.checkURLIsPhishing(`https://test.${phishing}..?test`)
+      ).toBe(true);
+      expect(
+        service.checkURLIsPhishing(`https://test.${phishing}..?test=1`)
+      ).toBe(true);
+      expect(service.checkURLIsPhishing(`https://.test.test.${phishing}`)).toBe(
+        true
+      );
+      expect(
+        service.checkURLIsPhishing(`https://..test.test.${phishing}`)
+      ).toBe(true);
+      expect(
+        service.checkURLIsPhishing(`https://..test..test...${phishing}`)
+      ).toBe(true);
+    }
+  };
+
+  test("Test basic PhishingListService with valid cases", async () => {
+    const service = new PhishingListService({
+      blockListUrl: `http://127.0.0.1:${port}/list1`,
+      fetchingIntervalMs: 3600,
+      retryIntervalMs: 3600,
+    });
+    eachService = service;
+
+    service.init();
+
+    await waitServiceInit(service);
+
+    testCheckURLIsPhishing(service);
+  });
+
+  test("Test basic PhishingListService with strange separators", async () => {
+    const service = new PhishingListService({
+      blockListUrl: `http://127.0.0.1:${port}/list2`,
+      fetchingIntervalMs: 3600,
+      retryIntervalMs: 3600,
+    });
+    eachService = service;
+
+    service.init();
+
+    await waitServiceInit(service);
+
+    testCheckURLIsPhishing(service);
+  });
+
+  test("Test basic PhishingListService with strange cases", async () => {
+    const service = new PhishingListService({
+      blockListUrl: `http://127.0.0.1:${port}/list3`,
+      fetchingIntervalMs: 3600,
+      retryIntervalMs: 3600,
+    });
+    eachService = service;
+
+    service.init();
+
+    await waitServiceInit(service);
+
+    testCheckURLIsPhishing(service);
+  });
+
+  test("Test basic PhishingListService fetching interval", async () => {
+    const service = new PhishingListService({
+      blockListUrl: `http://127.0.0.1:${port}/list3`,
+      fetchingIntervalMs: 200,
+      retryIntervalMs: 3600,
+    });
+    eachService = service;
+
+    service.init();
+
+    await waitServiceInit(service);
+
+    testCheckURLIsPhishing(service);
+    expect(service.checkURLIsPhishing("https://added.domain")).toBe(false);
+
+    expect(getQueryCount()).toBe(1);
+
+    // Wait re-fetching
+    await new Promise((resolve) => setTimeout(resolve, 210));
+
+    testCheckURLIsPhishing(service);
+    // See the implementation of /list3
+    expect(service.checkURLIsPhishing("https://added.domain")).toBe(true);
+
+    expect(getQueryCount()).toBe(2);
+
+    // Wait re-fetching
+    await new Promise((resolve) => setTimeout(resolve, 210));
+
+    testCheckURLIsPhishing(service);
+    // See the implementation of /list3
+    expect(service.checkURLIsPhishing("https://added.domain")).toBe(false);
+
+    expect(getQueryCount()).toBe(3);
+  });
+
+  test("Test basic PhishingListService fetching interval with retry interval", async () => {
+    const service = new PhishingListService({
+      blockListUrl: `http://127.0.0.1:${port}/test-retry`,
+      fetchingIntervalMs: 200,
+      retryIntervalMs: 100,
+    });
+    eachService = service;
+
+    service.init();
+
+    const testPhishingUntil = (count: number) => {
+      const tests = phishings.slice(0, count);
+      for (const test of tests) {
+        expect(service.checkURLIsPhishing("https://" + test)).toBe(true);
+      }
+      if (phishings.length > count) {
+        const test = phishings[count];
+        expect(service.checkURLIsPhishing("https://" + test)).toBe(false);
+      }
+    };
+
+    await waitServiceInit(service);
+
+    testPhishingUntil(1);
+    expect(getQueryCount()).toBe(1);
+
+    // Wait re-fetching
+    await new Promise((resolve) => setTimeout(resolve, 210));
+
+    // See the implementation of /test-retry
+    testPhishingUntil(2);
+    expect(getQueryCount()).toBe(2);
+
+    // Wait re-fetching
+    await new Promise((resolve) => setTimeout(resolve, 210));
+
+    // See the implementation of /test-retry
+    // In this case, the fetching should be failed.
+    // So, there is no update on phishing list.
+    testPhishingUntil(2);
+    expect(getQueryCount()).toBe(3);
+
+    // Wait retry for failed query
+    await new Promise((resolve) => setTimeout(resolve, 110));
+
+    // See the implementation of /test-retry
+    testPhishingUntil(4);
+    expect(getQueryCount()).toBe(4);
+
+    // Not yet re-fetching
+    await new Promise((resolve) => setTimeout(resolve, 110));
+
+    // See the implementation of /test-retry
+    testPhishingUntil(4);
+    expect(getQueryCount()).toBe(4);
+
+    // Now re-fetching
+    await new Promise((resolve) => setTimeout(resolve, 110));
+    // See the implementation of /test-retry
+    testPhishingUntil(5);
+    expect(getQueryCount()).toBe(5);
+  });
+});

package/src/phishing-list/service.ts

@@ -0,0 +1,88 @@
+import Axios from "axios";
+import { parseDomainUntilSecondLevel } from "./utils";
+
+export class PhishingListService {
+  protected map: Map<string, boolean> = new Map();
+
+  protected _hasInited: boolean = false;
+  protected _hasStopped: boolean = false;
+  protected timeoutId?: NodeJS.Timeout;
+
+  constructor(
+    public readonly opts: {
+      readonly blockListUrl: string;
+      readonly fetchingIntervalMs: number;
+      readonly retryIntervalMs: number;
+    }
+  ) {}
+
+  get hasInited(): boolean {
+    return this._hasInited;
+  }
+
+  init() {
+    this.startFetchPhishingList();
+  }
+
+  stop() {
+    if (this.timeoutId != null) {
+      clearTimeout(this.timeoutId);
+      this.timeoutId = undefined;
+    }
+    this._hasStopped = true;
+  }
+
+  async startFetchPhishingList() {
+    if (this.timeoutId != null) {
+      clearTimeout(this.timeoutId);
+      this.timeoutId = undefined;
+    }
+
+    if (this._hasStopped) {
+      return;
+    }
+
+    let failed = false;
+    try {
+      const res = await Axios.get<string>(this.opts.blockListUrl);
+
+      const domains = res.data
+        .split(/(\r?\n)|,|;|\s|\t/)
+        .filter((str) => str != null)
+        .map((str) => {
+          return str.trim();
+        })
+        .filter((str) => str.length > 0);
+
+      const map = new Map<string, boolean>();
+
+      for (const domain of domains) {
+        try {
+          map.set(parseDomainUntilSecondLevel(domain), true);
+        } catch (e) {
+          console.log(e);
+        }
+      }
+
+      this._hasInited = true;
+      this.map = map;
+    } catch (e) {
+      failed = true;
+      console.log(e);
+    }
+
+    if (!this._hasStopped) {
+      this.timeoutId = setTimeout(
+        () => {
+          this.startFetchPhishingList();
+        },
+        failed ? this.opts.retryIntervalMs : this.opts.fetchingIntervalMs
+      );
+    }
+  }
+
+  checkURLIsPhishing(url: string): boolean {
+    const parsed = new URL(url);
+    return this.map.get(parseDomainUntilSecondLevel(parsed.origin)) === true;
+  }
+}