feat: path-based scanning of urls#8662
Conversation
mindofmar
had a problem deploying
to
default-branch
GitHub Actions
Failure
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 7229179. Configure here.
| }; | ||
|
|
||
| this.#urlScanCache.set(hostname, result); | ||
| this.#urlScanCache.set(scanUrlParam, result); |
There was a problem hiding this comment.
Shared cache uses inconsistent keys across methods
Medium Severity
scanUrl now reads/writes #urlScanCache using scanUrlParam (e.g. ipfs.io/ipfs/QmAAA) as the key, but bulkScanUrls still reads/writes the same shared #urlScanCache using plain hostname (e.g. ipfs.io). Before this change both methods used hostname, so the cache was coherent. Now, for path-based gateway hosts, results cached by one method are invisible to the other, causing redundant API calls and inconsistent cache-hit behavior depending on which method was called first.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 7229179. Configure here.
There was a problem hiding this comment.
Known limitation with this PR but should have minimal impact since bulk scans are only used by the NftController, therefore the overlap in scans should be low.
We can address this in a follow-up PR
2 participants
Explanation
Why: Dapp scanning now supports path-level dapp scanning. Without this client-side change, the API never receives paths and the path-scanning capability goes unused.
References
Fixes: https://consensyssoftware.atlassian.net/jira/software/c/projects/PSAFE/boards/1950?selectedIssue=PSAFE-419
Extension PR: MetaMask/metamask-extension#42311
Screenshots
I've ran MetaMask Extension locally with these changes. Paths are now included in the API request.
Checklist
Note
Medium Risk
Modifies
scanUrlrequest/caching semantics to sometimes key onhostname+pathname, which can change phishing detection outcomes and cache behavior for gateway domains and could affect API load if misclassified.Overview
Adds path-aware phishing URL scanning for shared gateway hosts.
PhishingController.scanUrlnow sendshostname+pathname(instead of hostname-only) for a curated set of gateway root domains and subdomains, and caches results by this scan parameter.Introduces new utilities/constants (
PHISHING_DETECTION_PATH_BASED_ROOT_DOMAINS,isPhishingDetectionPathBasedHostname,getPhishingDetectionScanUrlParam), exports them fromindex.ts, and updates tests/changelog to cover the new request format and per-path caching behavior.Reviewed by Cursor Bugbot for commit 74ef4dc. Bugbot is set up for automated code reviews on this repo. Configure here.