Dargon789 patch 1

.github/ISSUE_TEMPLATE/bug-report.md

@@ -1,7 +1,10 @@
 ---
 name: Bug report
 about: Create an issue to fix a bug
-labels: ["bug"]
+title: ''
+labels: bug
+assignees: ''
+
 ---
 
 <!--

.github/ISSUE_TEMPLATE/custom.md

@@ -0,0 +1,10 @@
+---
+name: Custom issue template
+about: Describe this issue template's purpose here.
+title: ''
+labels: ''
+assignees: ''
+
+---
+
+

.github/ISSUE_TEMPLATE/feature-request.md

@@ -1,6 +1,10 @@
 ---
 name: Feature request
 about: Create a feature request for the Safe UI
+title: ''
+labels: ''
+assignees: ''
+
 ---
 
 <!--

.github/workflows/defender-for-devops.yml

@@ -0,0 +1,47 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+#
+# Microsoft Security DevOps (MSDO) is a command line application which integrates static analysis tools into the development cycle.
+# MSDO installs, configures and runs the latest versions of static analysis tools
+# (including, but not limited to, SDL/security and compliance tools).
+#
+# The Microsoft Security DevOps action is currently in beta and runs on the windows-latest queue,
+# as well as Windows self hosted agents. ubuntu-latest support coming soon.
+#
+# For more information about the action , check out https://github.com/microsoft/security-devops-action
+#
+# Please note this workflow do not integrate your GitHub Org with Microsoft Defender For DevOps. You have to create an integration
+# and provide permission before this can report data back to azure.
+# Read the official documentation here : https://learn.microsoft.com/en-us/azure/defender-for-cloud/quickstart-onboard-github
+
+name: "Microsoft Defender For Devops"
+
+on:
+  push:
+    branches: [ "dev" ]
+  pull_request:
+    branches: [ "dev" ]
+  schedule:
+    - cron: '38 12 * * 3'
+
+jobs:
+  MSDO:
+    # currently only windows latest is supported
+    runs-on: windows-latest
+
+    steps:
+    - uses: actions/checkout@v4
+    - uses: actions/setup-dotnet@v4
+      with:
+        dotnet-version: |
+          5.0.x
+          6.0.x
+    - name: Run Microsoft Security DevOps
+      uses: microsoft/[email protected]
+      id: msdo
+    - name: Upload results to Security tab
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: ${{ steps.msdo.outputs.sarifFile }}

.github/workflows/lint.yml

@@ -18,7 +18,7 @@ jobs:
 
       - uses: ./.github/workflows/yarn
 
-      - uses: CatChen/eslint-suggestion-action@v2
+      - uses: CatChen/eslint-suggestion-action@v4
         with:
           request-changes: true # optional
           fail-check: true # optional

.github/workflows/nextjs.yml

@@ -0,0 +1,93 @@
+# Sample workflow for building and deploying a Next.js site to GitHub Pages
+#
+# To get started with Next.js see: https://nextjs.org/docs/getting-started
+#
+name: Deploy Next.js site to Pages
+
+on:
+  # Runs on pushes targeting the default branch
+  push:
+    branches: ["dev"]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
+permissions:
+  contents: read
+  pages: write
+  id-token: write
+
+# Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
+# However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
+concurrency:
+  group: "pages"
+  cancel-in-progress: false
+
+jobs:
+  # Build job
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+      - name: Detect package manager
+        id: detect-package-manager
+        run: |
+          if [ -f "${{ github.workspace }}/yarn.lock" ]; then
+            echo "manager=yarn" >> $GITHUB_OUTPUT
+            echo "command=install" >> $GITHUB_OUTPUT
+            echo "runner=yarn" >> $GITHUB_OUTPUT
+            exit 0
+          elif [ -f "${{ github.workspace }}/package.json" ]; then
+            echo "manager=npm" >> $GITHUB_OUTPUT
+            echo "command=ci" >> $GITHUB_OUTPUT
+            echo "runner=npx --no-install" >> $GITHUB_OUTPUT
+            exit 0
+          else
+            echo "Unable to determine package manager"
+            exit 1
+          fi
+      - name: Setup Node
+        uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: ${{ steps.detect-package-manager.outputs.manager }}
+      - name: Setup Pages
+        uses: actions/configure-pages@v5
+        with:
+          # Automatically inject basePath in your Next.js configuration file and disable
+          # server side image optimization (https://nextjs.org/docs/api-reference/next/image#unoptimized).
+          #
+          # You may remove this line if you want to manage the configuration yourself.
+          static_site_generator: next
+      - name: Restore cache
+        uses: actions/cache@v4
+        with:
+          path: |
+            .next/cache
+          # Generate a new cache whenever packages or source files change.
+          key: ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-${{ hashFiles('**.[jt]s', '**.[jt]sx') }}
+          # If source files changed but packages didn't, rebuild from a prior cache.
+          restore-keys: |
+            ${{ runner.os }}-nextjs-${{ hashFiles('**/package-lock.json', '**/yarn.lock') }}-
+      - name: Install dependencies
+        run: ${{ steps.detect-package-manager.outputs.manager }} ${{ steps.detect-package-manager.outputs.command }}
+      - name: Build with Next.js
+        run: ${{ steps.detect-package-manager.outputs.runner }} next build
+      - name: Upload artifact
+        uses: actions/upload-pages-artifact@v3
+        with:
+          path: ./out
+
+  # Deployment job
+  deploy:
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4

SECURITY.md

@@ -0,0 +1,21 @@
+# Security Policy
+
+## Supported Versions
+
+Use this section to tell people about which versions of your project are
+currently being supported with security updates.
+
+| Version | Supported          |
+| ------- | ------------------ |
+| 5.1.x   | :white_check_mark: |
+| 5.0.x   | :x:                |
+| 4.0.x   | :white_check_mark: |
+| < 4.0   | :x:                |
+
+## Reporting a Vulnerability
+
+Use this section to tell people how to report a vulnerability.
+
+Tell them where to go, how often they can expect to get an update on a
+reported vulnerability, what to expect if the vulnerability is accepted or
+declined, etc.

package.json

@@ -44,15 +44,15 @@
   },
   "dependencies": {
     "@cowprotocol/widget-react": "^0.10.0",
-    "@ducanh2912/next-pwa": "^9.7.1",
+    "@ducanh2912/next-pwa": "^10.2.9",
     "@emotion/cache": "^11.13.1",
     "@emotion/react": "^11.13.3",
     "@emotion/server": "^11.11.0",
     "@emotion/styled": "^11.11.0",
     "@gnosis.pm/zodiac": "^4.0.3",
-    "@mui/icons-material": "^5.14.20",
+    "@mui/icons-material": "^5.16.7",
     "@mui/material": "^5.16.7",
-    "@mui/x-date-pickers": "^5.0.20",
+    "@mui/x-date-pickers": "^7.22.2",
     "@reduxjs/toolkit": "^2.2.6",
     "@safe-global/api-kit": "^2.4.6",
     "@safe-global/protocol-kit": "^4.1.1",
@@ -72,12 +72,12 @@
     "@web3-onboard/ledger": "2.3.2",
     "@web3-onboard/trezor": "^2.4.2",
     "@web3-onboard/walletconnect": "^2.5.4",
-    "blo": "^1.1.1",
+    "blo": "^1.2.0",
     "classnames": "^2.5.1",
     "date-fns": "^2.30.0",
     "ethers": "^6.11.1",
     "exponential-backoff": "^3.1.0",
-    "firebase": "^10.3.1",
+    "firebase": "^11.0.1",
     "fuse.js": "^7.0.0",
     "idb-keyval": "^6.2.1",
     "js-cookie": "^3.0.1",
@@ -89,51 +89,52 @@
     "react-dom": "^18.3.1",
     "react-dropzone": "^14.2.3",
     "react-gtm-module": "^2.0.11",
-    "react-hook-form": "7.41.1",
+    "react-hook-form": "7.53.1",
     "react-papaparse": "^4.0.2",
     "react-redux": "^9.1.2",
     "semver": "^7.6.3",
-    "zodiac-roles-deployments": "^2.2.5"
+    "zodiac-roles-deployments": "^2.2.5",
+    "dompurify": "^3.1.7"
   },
   "devDependencies": {
     "@chromatic-com/storybook": "^1.3.1",
-    "@cowprotocol/app-data": "^2.1.0",
+    "@cowprotocol/app-data": "^2.3.0",
     "@faker-js/faker": "^9.0.3",
     "@mdx-js/loader": "^3.0.1",
     "@mdx-js/react": "^3.0.1",
     "@next/bundle-analyzer": "^13.5.6",
     "@next/mdx": "^14.2.11",
-    "@openzeppelin/contracts": "^4.9.6",
+    "@openzeppelin/contracts": "^5.0.2",
     "@safe-global/safe-core-sdk-types": "^5.0.1",
     "@sentry/types": "^7.74.0",
     "@storybook/addon-designs": "^8.0.3",
-    "@storybook/addon-essentials": "^8.0.6",
+    "@storybook/addon-essentials": "^8.3.4",
     "@storybook/addon-interactions": "^8.0.6",
     "@storybook/addon-links": "^8.3.4",
     "@storybook/addon-onboarding": "^8.0.6",
     "@storybook/addon-themes": "^8.0.6",
     "@storybook/blocks": "^8.0.6",
     "@storybook/nextjs": "^8.0.6",
     "@storybook/react": "^8.0.6",
-    "@storybook/test": "^8.0.6",
+    "@storybook/test": "^8.3.4",
     "@svgr/webpack": "^6.3.1",
     "@testing-library/cypress": "^8.0.7",
-    "@testing-library/jest-dom": "^5.16.5",
-    "@testing-library/react": "^13.3.0",
+    "@testing-library/jest-dom": "^6.6.2",
+    "@testing-library/react": "^15.0.7",
     "@testing-library/user-event": "^14.4.2",
     "@typechain/ethers-v6": "^0.5.1",
     "@types/jest": "^29.5.4",
     "@types/js-cookie": "^3.0.6",
     "@types/lodash": "^4.14.182",
     "@types/mdx": "^2.0.13",
-    "@types/node": "18.11.18",
+    "@types/node": "22.8.1",
     "@types/qrcode": "^1.5.5",
-    "@types/react": "^18.3.10",
+    "@types/react": "^18.3.12",
     "@types/react-dom": "^18.3.0",
     "@types/react-gtm-module": "^2.0.3",
     "@types/semver": "^7.3.10",
     "@typescript-eslint/eslint-plugin": "^7.6.0",
-    "@walletconnect/types": "^2.16.1",
+    "@walletconnect/types": "^2.17.1",
     "cross-env": "^7.0.3",
     "cypress": "^12.15.0",
     "cypress-file-upload": "^5.0.8",
@@ -151,7 +152,7 @@
     "jest": "^29.6.2",
     "jest-environment-jsdom": "^29.6.2",
     "mockdate": "^3.0.5",
-    "prettier": "^2.7.0",
+    "prettier": "^3.3.3",
     "remark-frontmatter": "^5.0.0",
     "remark-gfm": "^4.0.0",
     "remark-heading-id": "^1.0.1",

src/hooks/safe-apps/useSafeAppUrl.ts

@@ -1,17 +1,29 @@
 import { useRouter } from 'next/router'
 import { sanitizeUrl } from '@/utils/url'
 import { useEffect, useMemo, useState } from 'react'
+import DOMPurify from 'dompurify'
+
+const AUTHORIZED_URLS = [
+  'https://trustedapp1.com',
+  'https://trustedapp2.com',
+  // Add more authorized URLs here
+]
 
 const useSafeAppUrl = (): string | undefined => {
   const router = useRouter()
   const [appUrl, setAppUrl] = useState<string | undefined>()
 
   useEffect(() => {
     if (!router.isReady) return
-    setAppUrl(router.query.appUrl?.toString())
+    const url = router.query.appUrl?.toString()
+    if (url && AUTHORIZED_URLS.includes(sanitizeUrl(url))) {
+      setAppUrl(url)
+    } else {
+      setAppUrl(undefined)
+    }
   }, [router])
 
-  return useMemo(() => (appUrl ? sanitizeUrl(appUrl) : undefined), [appUrl])
+  return useMemo(() => (appUrl ? DOMPurify.sanitize(sanitizeUrl(appUrl)) : undefined), [appUrl])
 }
 
 export { useSafeAppUrl }

src/services/safe-apps/manifest.ts

@@ -55,9 +55,17 @@ const getAppLogoUrl = (appUrl: string, { icons = [], iconPath = '' }: AppManifes
   return `${appUrl}${isRelativeUrl(iconUrl) ? '' : '/'}${iconUrl}`
 }
 
+const ALLOWED_DOMAINS = ['example.com', 'another-safe-domain.com']; // Add your allowed domains here
+
 const fetchAppManifest = async (appUrl: string, timeout = 5000): Promise<unknown> => {
   const normalizedUrl = trimTrailingSlash(appUrl)
-  const manifestUrl = `${normalizedUrl}/manifest.json`
+  const urlObj = new URL(normalizedUrl)
+
+  if (!ALLOWED_DOMAINS.includes(urlObj.hostname)) {
+    throw new Error(`The domain ${urlObj.hostname} is not allowed`)
+  }
+
+  const manifestUrl = new URL('/manifest.json', normalizedUrl).toString()
 
   // A lot of apps are hosted on IPFS and IPFS never times out, so we add our own timeout
   const controller = new AbortController()