feat(transaction-controller): gate internal validations on explicit isInternal flag#8633
Open
matthewwalsh0 wants to merge 2 commits intomainfrom
Open
feat(transaction-controller): gate internal validations on explicit isInternal flag#8633matthewwalsh0 wants to merge 2 commits intomainfrom
isInternal flag#8633matthewwalsh0 wants to merge 2 commits intomainfrom
Conversation
matthewwalsh0
had a problem deploying
to
default-branch
GitHub Actions
Failure
matthewwalsh0
added a commit
that referenced
this pull request
Apr 29, 2026
Member
Author
|
@metamaskbot publish-preview |
Contributor
|
Preview builds have been published. Learn how to use preview builds in other projects. Expand for full list of packages and versions. |
…sInternal flag Replace implicit `origin === ORIGIN_METAMASK` trust checks in `addTransaction` and `addTransactionBatch` with an explicit, optional `isInternal` flag (defaulting to `false`). The flag is persisted on `TransactionMeta` and `TransactionBatchMeta` so downstream logic can read it without re-deriving trust from the origin string. BREAKING: Setting `origin` to `ORIGIN_METAMASK` (or omitting `origin`) no longer skips the external-request validations. Callers that need that behavior must now pass `isInternal: true` explicitly.
matthewwalsh0
force-pushed
the
feat/transaction-controller-is-internal
branch
from
702a30e to
e84d726
Compare
OGPoyraz
approved these changes
May 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
The
TransactionControllercurrently distinguishes "internal" (MetaMask-initiated) requests from "external" (dapp-initiated) requests by checking whether the requestoriginmatchesORIGIN_METAMASK. Several validations inaddTransactionandaddTransactionBatchare skipped for internal requests:batchIdcheckuserFeeLevelselectionInferring trust from the origin string couples the controller's security posture to whatever logic the consuming client happens to use when populating that field. A bug, refactor, or oversight further up the stack that lets a non-internal request reach the controller with
origin: ORIGIN_METAMASKwould silently bypass these validations.This PR replaces that implicit check with an explicit, optional
isInternal: booleanflag on bothAddTransactionOptionsandTransactionBatchRequest. The flag defaults tofalse, so the controller treats all requests as external unless the caller opts in. The flag is persisted onTransactionMetaandTransactionBatchMetaso downstream logic (notablyuserFeeLevelselection ingas-fees.ts) reads it directly rather than re-deriving trust from the origin.The origin field is unchanged in shape and semantics — it still flows through to the
ApprovalControlleras the display origin and is still attached toTransactionMetafor analytics, history, and dapp-suggested-gas display. It is simply no longer used as a trust signal.BREAKING: validations are no longer gated on
originCallers that previously relied on
origin: ORIGIN_METAMASK(or an absent origin) to suppress these validations must now passisInternal: trueexplicitly. Without that flag the controller will:permittedAddressescheck on thefromaddressbatchIdsuserFeeLevelInternal MetaMask consumers (extension, mobile, and other core packages such as
transaction-pay-controller,bridge-status-controller,perps-controller, andeip-5792-middleware) need to audit their call sites and passisInternal: truefor every request that genuinely originates inside MetaMask.References
N/A
Changelog
Checklist
Note
Medium Risk
Breaking change that alters how transaction/batch requests are classified as trusted, affecting validation and gas-fee behavior; incorrect caller updates could cause new rejections or changed fee-level selection.
Overview
Adds an explicit optional
isInternalflag toaddTransaction/addTransactionBatchrequests and persists it onTransactionMeta/TransactionBatchMeta.BREAKING: internal-only bypasses previously inferred from
origin === ORIGIN_METAMASK(or missingorigin) are now gated byisInternal, impacting origin validation, duplicatebatchIdhandling, batch request validation (internal-account call-data + size limit), and dapp-suggested gas fee /userFeeLevelselection. Tests and related helpers are updated to useisInternalinstead ofORIGIN_METAMASKchecks.Reviewed by Cursor Bugbot for commit e84d726. Bugbot is set up for automated code reviews on this repo. Configure here.