Static Frames Validation Security Fix

packages/frames-client/package.json

@@ -70,7 +70,7 @@
     "@open-frames/types": "^0.1.1",
     "@rollup/plugin-terser": "^0.4.4",
     "@rollup/plugin-typescript": "^12.1.1",
-    "@xmtp/node-sdk": "^0.0.27",
+    "@xmtp/node-sdk": "^0.0.29",
     "@xmtp/xmtp-js": "^12.0.0",
     "ethers": "^6.13.1",
     "fast-glob": "^3.3.2",

packages/frames-validator/package.json

@@ -40,7 +40,7 @@
   "dependencies": {
     "@noble/curves": "^1.3.0",
     "@noble/hashes": "^1.4.0",
-    "@xmtp/node-sdk": "^0.0.27",
+    "@xmtp/node-sdk": "^0.0.29",
     "@xmtp/proto": "^3.72.3",
     "uint8array-extras": "^1.4.0",
     "viem": "^2.16.5"

packages/frames-validator/src/validation.ts

@@ -1,6 +1,8 @@
+import { getRandomValues, randomBytes } from "crypto";
 import { sha256 } from "@noble/hashes/sha256";
-import { Client, getInboxIdForAddress, type XmtpEnv } from "@xmtp/node-sdk";
+import { Client, type XmtpEnv } from "@xmtp/node-sdk";
 import { fetcher, frames, type publicKey, type signature } from "@xmtp/proto";
+import { getBytes, LangEn, Mnemonic, Wallet } from "ethers";
 import { uint8ArrayToHex } from "uint8array-extras";
 import type {
   UntrustedData,
@@ -28,7 +30,7 @@
     actionBodyBytes,
     signature,
     signedPublicKeyBundle,
-    installationId, // not necessary
+    installationId,
     installationSignature,
     inboxId,
   } = deserializeProtoMessage(messageBytes);
@@ -48,9 +50,23 @@
     }
   } else {
     // make sure inbox IDs match
-    const addressInboxId = await getInboxIdForAddress(walletAddress, env);
-    if (inboxId !== addressInboxId) {
-      throw new Error("Invalid inbox ID");
+    const authorized = await Client.isInstallationAuthorized(
+      { env },
+      inboxId,
+      installationId,
+    );
+    if (!authorized) {
+      throw new Error("Installation not a member of association state");
+    }
+
+    const isMember = await Client.isAddressAuthorized(
+      { env },
+      inboxId,
+      walletAddress,
+    );
+
+    if (!isMember) {
+      throw new Error("Unable to associate wallet address with inbox");
     }
 
     const digest = sha256(actionBodyBytes);

sdks/node-sdk/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@xmtp/node-sdk",
-  "version": "0.0.28",
+  "version": "0.0.29",
   "description": "XMTP Node client SDK for interacting with XMTP networks",
   "keywords": [
     "xmtp",
@@ -53,7 +53,7 @@
     "@xmtp/content-type-group-updated": "^1.0.1",
     "@xmtp/content-type-primitives": "^1.0.3",
     "@xmtp/content-type-text": "^1.0.1",
-    "@xmtp/node-bindings": "^0.0.25",
+    "@xmtp/node-bindings": "^0.0.26",
     "@xmtp/proto": "^3.72.3"
   },
   "devDependencies": {

sdks/node-sdk/src/Client.ts

@@ -15,6 +15,8 @@ import {
   generateInboxId,
   getInboxIdForAddress,
   GroupMessageKind,
+  isAddressAuthorized as isAddressAuthorizedBinding,
+  isInstallationAuthorized as isInstallationAuthorizedBinding,
   LogLevel,
   SignatureRequestType,
   verifySignedWithPublicKey as verifySignedWithPublicKeyBinding,
@@ -172,20 +174,6 @@ export class Client {
     return this.#innerClient.isRegistered();
   }
 
-  async isAddressAuthorized(
-    inboxId: string,
-    address: string,
-  ): Promise<boolean> {
-    return this.#innerClient.isAddressAuthorized(inboxId, address);
-  }
-
-  async isInstallationAuthorized(
-    inboxId: string,
-    installationId: Uint8Array,
-  ): Promise<boolean> {
-    return this.#innerClient.isInstallationAuthorized(inboxId, installationId);
-  }
-
   async #createInboxSignatureText() {
     try {
       const signatureText = await this.#innerClient.createInboxSignatureText();
@@ -283,6 +271,20 @@ export class Client {
     await this.#applySignatures();
   }
 
+  async isAddressAuthorized(
+    inboxId: string,
+    address: string,
+  ): Promise<boolean> {
+    return this.#innerClient.isAddressAuthorized(inboxId, address);
+  }
+
+  async isInstallationAuthorized(
+    inboxId: string,
+    installationId: Uint8Array,
+  ): Promise<boolean> {
+    return this.#innerClient.isInstallationAuthorized(inboxId, installationId);
+  }
+
   async removeAccount(accountAddress: string) {
     const signatureText =
       await this.#removeAccountSignatureText(accountAddress);
@@ -452,4 +454,22 @@ export class Client {
       return false;
     }
   }
+
+  static async isAddressAuthorized(
+    networkOptions: NetworkOptions,
+    inboxId: string,
+    address: string,
+  ): Promise<boolean> {
+    const host = networkOptions.apiUrl || ApiUrls[networkOptions.env || "dev"];
+    return await isAddressAuthorizedBinding(host, inboxId, address);
+  }
+
+  static async isInstallationAuthorized(
+    networkOptions: NetworkOptions,
+    inboxId: string,
+    installation: Uint8Array,
+  ): Promise<boolean> {
+    const host = networkOptions.apiUrl || ApiUrls[networkOptions.env || "dev"];
+    return await isInstallationAuthorizedBinding(host, inboxId, installation);
+  }
 }

yarn.lock

@@ -5033,7 +5033,7 @@ __metadata:
     "@open-frames/types": "npm:^0.1.1"
     "@rollup/plugin-terser": "npm:^0.4.4"
     "@rollup/plugin-typescript": "npm:^12.1.1"
-    "@xmtp/node-sdk": "npm:^0.0.27"
+    "@xmtp/node-sdk": "npm:^0.0.29"
     "@xmtp/proto": "npm:^3.72.3"
     "@xmtp/xmtp-js": "npm:^12.0.0"
     ethers: "npm:^6.13.1"
@@ -5065,7 +5065,7 @@ __metadata:
     "@rollup/plugin-typescript": "npm:^12.1.1"
     "@types/bl": "npm:^5.1.4"
     "@xmtp/frames-client": "npm:^1.0.0"
-    "@xmtp/node-sdk": "npm:^0.0.27"
+    "@xmtp/node-sdk": "npm:^0.0.29"
     "@xmtp/proto": "npm:^3.72.3"
     "@xmtp/xmtp-js": "npm:^12.1.0"
     ethers: "npm:^6.10.0"
@@ -5079,34 +5079,14 @@ __metadata:
   languageName: unknown
   linkType: soft
 
-"@xmtp/node-bindings@npm:^0.0.22":
-  version: 0.0.22
-  resolution: "@xmtp/node-bindings@npm:0.0.22"
-  checksum: 10/e8668b2fd30041dff8671625c13d49245d421ac31c0669b9be5365b5f22bf3c28f4d0cc12015a2710b90136423828bcdb1a99a10b37d4d5ac51e3ac47228b960
+"@xmtp/node-bindings@npm:^0.0.26":
+  version: 0.0.26
+  resolution: "@xmtp/node-bindings@npm:0.0.26"
+  checksum: 10/a5b97f6619f84aa8d9d27e695598a39769659039e6d1ee4637baae63ceefb796e9a1c05af1f681228c644ea701e64bdb590aec3dda2b59a768bae6734c2f9503
   languageName: node
   linkType: hard
 
-"@xmtp/node-bindings@npm:^0.0.25":
-  version: 0.0.25
-  resolution: "@xmtp/node-bindings@npm:0.0.25"
-  checksum: 10/336f9b2a4a8b2781f6c53a7dd444428893f5e04a927350c82fcb79e37e0cc69abcb86406ffedeaa28115f1b57801890309546a10c9e806e3ed81b18b9d8f1431
-  languageName: node
-  linkType: hard
-
-"@xmtp/node-sdk@npm:^0.0.27":
-  version: 0.0.27
-  resolution: "@xmtp/node-sdk@npm:0.0.27"
-  dependencies:
-    "@xmtp/content-type-group-updated": "npm:^1.0.1"
-    "@xmtp/content-type-primitives": "npm:^1.0.3"
-    "@xmtp/content-type-text": "npm:^1.0.1"
-    "@xmtp/node-bindings": "npm:^0.0.22"
-    "@xmtp/proto": "npm:^3.72.3"
-  checksum: 10/9937c77d4bd3f3ed8df2f9938e940e2c21a7c8e8f06506d227bb97939f8294e0ae6ec6bc1498f528274257d61f9142e38639aa123c3ddf086a98d9cd041c0161
-  languageName: node
-  linkType: hard
-
-"@xmtp/node-sdk@workspace:sdks/node-sdk":
+"@xmtp/node-sdk@npm:^0.0.29, @xmtp/node-sdk@workspace:sdks/node-sdk":
   version: 0.0.0-use.local
   resolution: "@xmtp/node-sdk@workspace:sdks/node-sdk"
   dependencies:
@@ -5117,7 +5097,7 @@ __metadata:
     "@xmtp/content-type-group-updated": "npm:^1.0.1"
     "@xmtp/content-type-primitives": "npm:^1.0.3"
     "@xmtp/content-type-text": "npm:^1.0.1"
-    "@xmtp/node-bindings": "npm:^0.0.25"
+    "@xmtp/node-bindings": "npm:^0.0.26"
     "@xmtp/proto": "npm:^3.72.3"
     "@xmtp/xmtp-js": "workspace:^"
     fast-glob: "npm:^3.3.2"