chore: double check validate transaction arguments

This is basically double checking the bootloader
matter-labs · Feb 12, 2025 · 0deebe5 · 0deebe5
1 parent ff8273d
commit 0deebe5
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 3 deletions.
diff --git a/src/validators/SessionKeyValidator.sol b/src/validators/SessionKeyValidator.sol
@@ -139,11 +139,14 @@ contract SessionKeyValidator is IModuleValidator {
   /// @dev Session spec and period IDs must be provided as validator data
   function validateTransaction(
     bytes32 signedHash,
-    bytes calldata,
+    bytes calldata providedTransactionSignature,
     Transaction calldata transaction
   ) external returns (bool) {
     (bytes memory transactionSignature, address _validator, bytes memory validatorData) = SignatureDecoder
       .decodeSignature(transaction.signature);
+    if (keccak256(providedTransactionSignature) != keccak256(transactionSignature)) {
+      return false;
+    }
     (SessionLib.SessionSpec memory spec, uint64[] memory periodIds) = abi.decode(
       validatorData, // this is passed by the signature builder
       (SessionLib.SessionSpec, uint64[])

diff --git a/src/validators/WebAuthValidator.sol b/src/validators/WebAuthValidator.sol
@@ -7,6 +7,7 @@ import { IERC165 } from "@openzeppelin/contracts/utils/introspection/IERC165.sol
 import { IModuleValidator } from "../interfaces/IModuleValidator.sol";
 import { IModule } from "../interfaces/IModule.sol";
 import { VerifierCaller } from "../helpers/VerifierCaller.sol";
+import { SignatureDecoder } from "../libraries/SignatureDecoder.sol";
 import { Strings } from "@openzeppelin/contracts/utils/Strings.sol";
 import { Base64 } from "solady/src/utils/Base64.sol";
 import { JSONParserLib } from "solady/src/utils/JSONParserLib.sol";
@@ -85,8 +86,19 @@ contract WebAuthValidator is VerifierCaller, IModuleValidator {
   function validateTransaction(
     bytes32 signedHash,
     bytes calldata signature,
-    Transaction calldata
+    Transaction calldata transaction
   ) external view returns (bool) {
+    (bytes memory transactionSignature, address _validator, bytes memory validatorData) = SignatureDecoder
+      .decodeSignature(transaction.signature);
+    if (_validator != address(this)) {
+      return false;
+    }
+    if (keccak256(transactionSignature) != keccak256(signature)) {
+      return false;
+    }
+    if (validatorData.length != 0) {
+      return false;
+    }
     return webAuthVerify(signedHash, signature);
   }
 
@@ -103,7 +115,7 @@ contract WebAuthValidator is VerifierCaller, IModuleValidator {
       fatSignature
     );
 
-    if (rs[0] <= 0 || rs[0] > HIGH_R_MAX || rs[1] <= 0 || rs[1] > LOW_S_MAX) {
+    if (uint256(rs[0]) <= 0 || rs[0] > HIGH_R_MAX || uint256(rs[1]) <= 0 || rs[1] > LOW_S_MAX) {
       return false;
     }