fix: guard against undefined RPC provider in Safe signature validation#223
fix: guard against undefined RPC provider in Safe signature validation#223aly-obol wants to merge 2 commits into
Conversation
|
Warning Review limit reached
More reviews will be available in 4 minutes and 59 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|



Summary
validateSmartContractSignaturenow rejects the"undefined"string (produced byPROVIDER_MAPtemplate literals when RPC env vars are unset) before passing it toSafe.init(), matching the existing guard ingetProvider()."undefined".Context
Reported via bug bounty (OBL-08, Low severity). When
RPC_MAINNET/RPC_HOODIetc. are not set,PROVIDER_MAP[chainId]evaluates to the string"undefined"rather thanundefined.getProvider()already checks for this;validateSmartContractSignaturedid not.Test plan
npm run buildpassesnpm testpassesRPC_MAINNET, callvalidateSmartContractSignaturewithchainId=1and nosafeRpcUrl— should throw"No RPC provider configured for chain 1"instead of passing"undefined"to Safe SDK