Add explicit length check on user-supplied Symbol

[Baskarayelu]

Summary

Reject anything > 9 chars before it reaches Symbol::new.

Background

This is a defence-in-depth fix. Even though we have no public report of exploitation, the gap below is the kind of thing a careful auditor would flag and that we want closed before any external review. The change should be implemented as part of the security baseline rather than as a reaction to an incident.

Acceptance criteria

• The change matches the summary above.
• A negative test exercises the new check.
• The PR description names the threat being mitigated.
• Lint, type-check, and tests all pass locally.
• PR description references this issue with Closes #<this-issue>.

Implementation hints

• Threat-model the change before you write it: what does an attacker get if this check is missing? Document that in the PR description.
• Surface a typed error (Soroban #[contracterror] / Zod / TS discriminated union) instead of panicking or returning a generic 500.
• Add a negative test that fails today before your fix and passes after. The diff must include both.
• If the change is on a hot path, measure the cost (env.cost_estimate() for Soroban, a microbenchmark for TS) and put the number in the PR description.

Repo-specific notes

• This is a Soroban contract crate. Run cargo build --target wasm32-unknown-unknown --release to verify the change still builds for WASM.
• Run cargo test -p <package> for the affected crate, and cargo clippy --workspace --all-targets -- -D warnings before pushing.
• Keep #![no_std] discipline: do not introduce std:: calls; use soroban_sdk primitives.

Out of scope

• Unrelated refactors in adjacent files.
• Stylistic-only changes (formatting, renaming) that are not required by the fix.
• Anything beyond the acceptance criteria above; surface follow-ups as separate issues.

How to claim and submit

1. Comment on this issue saying you'd like to take it on; wait for a maintainer to assign you (avoids duplicated effort).
2. Open a PR that references this issue (Closes #<this-issue>).
3. Make sure CI is green and request review from a CODEOWNERS maintainer.
4. PRs that close this issue and pass review may qualify for a reward — see the MAYBE REWARDED label and the GrantFox OSS campaign page.

---

Category: security  ·  Campaign: GrantFox OSS · Official Campaign · Maybe Rewarded

[SHEROSE0]

@SHEROSE0 has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hello Maintainer,
I’m interested in working on this issue if it can be assigned to me. I’ve reviewed the description and I understand the requirements clearly. I’m confident I can complete it efficiently and reliably.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @SHEROSE0 to this issue.

[grantfox-oss]

🦊 GrantFox — @SHEROSE0 has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #1564)
2. Your PR will be reviewed by the QuickLendX maintainers

Good luck! Track your progress on GrantFox.

[drips-wave]

Congratulations, @SHEROSE0! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @SHEROSE0: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊

[grantfox-oss]

🎉 This issue has been marked as completed on GrantFox as part of the Official Campaign campaign!

@SHEROSE0's PR #1663 was approved and merged by @Baskarayelu.

🏆 @SHEROSE0: You earned 35 FoxPoints for this contribution! Your current tier: Explorer (86 total points). Track your full progress on GrantFox.

👏 Great work, @SHEROSE0! Keep contributing to QuickLendX.

[drips-wave]

This issue has been completed by @SHEROSE0 as part of the Stellar Wave Program's 6th Wave 🥳

😎 @SHEROSE0: You earned 100 Points for completing this issue! After the current Wave ends, you'll be eligible for a percentage of the Wave's reward pool based on the percentage of total points you've earned. Learn more here. You can also Leave a review to share your experience working on this issue.

🧑‍💻 Repo maintainers: How'd the contributor do? Leave a review to share your experience working with them.