Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

refactor: disallow non alphanumeric symbols #945

Merged
merged 3 commits into from
Jun 18, 2024

Conversation

andreivladbrg
Copy link
Member

We still need to make a decision, but this PR solves this finding: https://www.codehawks.com/report/clvb9njmy00012dqjyaavpl44#M-01

@andreivladbrg andreivladbrg marked this pull request as draft June 17, 2024 07:29
@andreivladbrg andreivladbrg force-pushed the refactor/non-alphanumeric-uri branch from 6678396 to 7a23821 Compare June 17, 2024 07:36
@andreivladbrg andreivladbrg force-pushed the refactor/non-alphanumeric-uri branch from 7a23821 to c0d1ed3 Compare June 17, 2024 07:37
refactor: alphabetical ordering
refactor: return different string
test: thorough concrete tests for "isAlphanumeric"
@PaulRBerg PaulRBerg marked this pull request as ready for review June 17, 2024 12:37
Copy link
Member

@PaulRBerg PaulRBerg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the lift-off, @andreivladbrg. I have made several additions and changes:

  • Simplified the implementation using OR operators instead of AND
  • Added thorough concrete units
  • Added fuzz tests

@PaulRBerg PaulRBerg force-pushed the refactor/non-alphanumeric-uri branch from caf20fc to ffcd915 Compare June 17, 2024 12:39
@PaulRBerg
Copy link
Member

Separately, I opened feature requests in OpenZeppelin and Solady for implementing alphanumeric check functions:

test: fuzz tests for "isAlphanumeric"
test: shared test contract for NFT descriptor
@PaulRBerg PaulRBerg force-pushed the refactor/non-alphanumeric-uri branch from ffcd915 to b3ff329 Compare June 17, 2024 12:49
Copy link
Member

@smol-ninja smol-ninja left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Beautiful.

@smol-ninja smol-ninja merged commit 6a3c917 into staging Jun 18, 2024
9 checks passed
@smol-ninja smol-ninja deleted the refactor/non-alphanumeric-uri branch June 18, 2024 12:13
@smol-ninja
Copy link
Member

smol-ninja commented Jun 29, 2024

Should we allow - as well?

From Egis audit report:

Consider adding - (2D) as supported char in for token sybmol, because it is not a threat for JSON injection and there are tokens such as LP, which may use this char. Example token Recom- mendation:Addbool isDash = char == 2Dcheck

Also, even Sablier NFT contains -.

Fixed in #960.

@PaulRBerg
Copy link
Member

I agree with adding support for -.

andreivladbrg added a commit that referenced this pull request Jul 3, 2024
* refactor: disallow non alphanumeric symbols

* feat: allow empty spaces in "isAlphanumeric"

refactor: alphabetical ordering
refactor: return different string
test: thorough concrete tests for "isAlphanumeric"

* refactor: simplify logical conditions

test: fuzz tests for "isAlphanumeric"
test: shared test contract for NFT descriptor

---------

Co-authored-by: Paul Razvan Berg <[email protected]>
andreivladbrg added a commit that referenced this pull request Jul 3, 2024
* refactor: disallow non alphanumeric symbols

* feat: allow empty spaces in "isAlphanumeric"

refactor: alphabetical ordering
refactor: return different string
test: thorough concrete tests for "isAlphanumeric"

* refactor: simplify logical conditions

test: fuzz tests for "isAlphanumeric"
test: shared test contract for NFT descriptor

---------

Co-authored-by: Paul Razvan Berg <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants