fix: validate challenge to sign (#127)

validate challenge to sign
decentraland · Oct 14, 2024 · 6e2b0cb · 6e2b0cb
1 parent 0d9e648
commit 6e2b0cb
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/crates/comms/src/archipelago.rs b/crates/comms/src/archipelago.rs
@@ -284,6 +284,11 @@ async fn archipelago_handler_inner(
                 // send challenge response
                 debug!("<< challenge received; {challenge_to_sign}");
 
+                if !challenge_to_sign.starts_with("dcl-") {
+                    error!("invalid challenge to sign");
+                    return Err(anyhow!("invalid challenge to sign"));
+                }
+
                 // sign challenge
                 let chain = wallet.sign_message(challenge_to_sign).await?;
                 let auth_chain_json = serde_json::to_string(&chain)?;

diff --git a/crates/comms/src/websocket_room.rs b/crates/comms/src/websocket_room.rs
@@ -239,6 +239,11 @@ async fn websocket_room_handler_inner(
                 // send challenge response
                 debug!("<< challenge received; {challenge_to_sign}");
 
+                if !challenge_to_sign.starts_with("dcl-") {
+                    error!("invalid challenge to sign");
+                    return Err(anyhow!("invalid challenge to sign"));
+                }
+
                 // sign challenge
                 let chain = wallet.sign_message(challenge_to_sign).await?;
                 let auth_chain_json = serde_json::to_string(&chain)?;