Conversation
mindofmar
had a problem deploying
to
default-branch
GitHub Actions
Failure
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7229179. Configure here.
| }; | ||
|
|
||
| this.#urlScanCache.set(hostname, result); | ||
| this.#urlScanCache.set(scanUrlParam, result); |
There was a problem hiding this comment.
Shared cache uses inconsistent keys across methods
Medium Severity
scanUrl now reads/writes #urlScanCache using scanUrlParam (e.g. ipfs.io/ipfs/QmAAA) as the key, but bulkScanUrls still reads/writes the same shared #urlScanCache using plain hostname (e.g. ipfs.io). Before this change both methods used hostname, so the cache was coherent. Now, for path-based gateway hosts, results cached by one method are invisible to the other, causing redundant API calls and inconsistent cache-hit behavior depending on which method was called first.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 7229179. Configure here.
There was a problem hiding this comment.
Known limitation with this PR but should have minimal impact since bulk scans are only used by the NftController, therefore the overlap in scans should be low.
We can address this in a follow-up PR
1 participant
Explanation
Why: Dapp scanning now supports path-level dapp scanning. Without this client-side change, the API never receives paths and the path-scanning capability goes unused.
References
Fixes: https://consensyssoftware.atlassian.net/jira/software/c/projects/PSAFE/boards/1950?selectedIssue=PSAFE-419
Extension PR: MetaMask/metamask-extension#42311
Screenshots
I've ran MetaMask Extension locally with these changes. Paths are now included in the API request.
Checklist
Note
Medium Risk
Changes how
scanUrlbuilds the phishing-detection API query and its cache key, which can alter detection/caching behavior for URL scans (especially on gateway hosts). Risk is limited to phishing URL scanning logic and is covered by new unit tests for gateway/path handling.Overview
Adds path-aware single-URL phishing scans for known shared gateway domains by sending
hostname + pathname(excluding query/fragment) to the PDS API and caching results per path, while keeping hostname-only behavior for all other hosts.Introduces
PHISHING_DETECTION_PATH_BASED_ROOT_DOMAINS,isPhishingDetectionPathBasedHostname, andgetPhishingDetectionScanUrlParam(exported fromindex.ts), updatesscanUrldocs/behavior accordingly, and extends tests to validate gateway path requests and caching behavior.Reviewed by Cursor Bugbot for commit d028d0d. Bugbot is set up for automated code reviews on this repo. Configure here.