From 6e2b0cb2cdd8f6cd2da455db7202527c2b98855b Mon Sep 17 00:00:00 2001
From: Lean Mendoza <leandro@decentraland.org>
Date: Mon, 14 Oct 2024 13:12:33 -0300
Subject: [PATCH] fix: validate challenge to sign (#127)

validate challenge to sign
---
 crates/comms/src/archipelago.rs    | 5 +++++
 crates/comms/src/websocket_room.rs | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/crates/comms/src/archipelago.rs b/crates/comms/src/archipelago.rs
index e2781cd4..09144f1b 100644
--- a/crates/comms/src/archipelago.rs
+++ b/crates/comms/src/archipelago.rs
@@ -284,6 +284,11 @@ async fn archipelago_handler_inner(
                 // send challenge response
                 debug!("<< challenge received; {challenge_to_sign}");
 
+                if !challenge_to_sign.starts_with("dcl-") {
+                    error!("invalid challenge to sign");
+                    return Err(anyhow!("invalid challenge to sign"));
+                }
+
                 // sign challenge
                 let chain = wallet.sign_message(challenge_to_sign).await?;
                 let auth_chain_json = serde_json::to_string(&chain)?;
diff --git a/crates/comms/src/websocket_room.rs b/crates/comms/src/websocket_room.rs
index 81c1d492..3d745db7 100644
--- a/crates/comms/src/websocket_room.rs
+++ b/crates/comms/src/websocket_room.rs
@@ -239,6 +239,11 @@ async fn websocket_room_handler_inner(
                 // send challenge response
                 debug!("<< challenge received; {challenge_to_sign}");
 
+                if !challenge_to_sign.starts_with("dcl-") {
+                    error!("invalid challenge to sign");
+                    return Err(anyhow!("invalid challenge to sign"));
+                }
+
                 // sign challenge
                 let chain = wallet.sign_message(challenge_to_sign).await?;
                 let auth_chain_json = serde_json::to_string(&chain)?;