feat(backend): add name/description length validation to registerServiceOnChain#190
Conversation
…iceOnChain Closes Stellar-Ecosystem#25 register_service accepted any-length String for name and description with no bounds check, allowing permanent on-chain storage of arbitrarily large entries at negligible cost to the caller. Added guards to registerServiceOnChain() in backend/src/lib/contract.js: - name: 3–64 chars (INVALID_NAME) - description: 10–256 chars (INVALID_DESCRIPTION) Validation fires before any RPC call — no wasted transaction fees on bad inputs. Bounds mirror the frontend RegisterForm validation (3-50 name, 10-200 description) with slightly wider server-side limits to avoid the backend being stricter than what the contract actually needs.
|
Warning Review limit reached
More reviews will be available in 3 minutes and 16 seconds. Learn how PR review limits work. To continue reviewing without waiting, enable usage-based billing in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Fixes #25
Problem
register_servicein the Soroban contract accepts arbitrary-lengthStringfor bothnameanddescriptionwith no bounds. An attacker can register a service with a megabyte-long description at negligible cost, growing the on-chain storage permanently.Solution
Added pre-flight validation in
backend/src/lib/contract.jsinsideregisterServiceOnChain()before any RPC call:Bounds chosen to match the frontend
RegisterFormvalidation (name3–50,description10–200) with slightly wider server-side limits (3–64 / 10–256) so the backend is never stricter than the frontend without good reason.No RPC calls are made on invalid input — the validation throws immediately, saving transaction fee budget for the caller.
🤖 Generated with Claude Code