Chain ID length not validated in interoperability endpoints #8604

ishantiw · 2023-06-16T08:26:12Z

Description

The BaseInteroperabilityEndpoint and MainchainInteroperabilityEndpoint classes provide several methods that take a hex-formatted chain ID as a parameter. These methods validate the chain ID using different schemas that are all aliases for getChainAccountRequestSchema

https://github.com/LiskHQ/lisk-sdk/blob/89e7504ef5eb6183aefe576a93be3d6052e56038/framework/src/modules/interoperability/schemas.ts#L561-L571

The chainID property in the above schema lacks the minLength and maxLength fields. As a result, arbitrary-length chain ID strings may be passed to internal functions that assume a correct length.

Affected version

v6.0.0-beta.2

The text was updated successfully, but these errors were encountered:

ishantiw added type: bug framework/module/interoperability Interoperability module labels Jun 16, 2023

Madhulearn added this to the Sprint 97 milestone Jun 18, 2023

Phanco self-assigned this Jun 19, 2023

Phanco mentioned this issue Jun 19, 2023

Fix length requirement and dataType on getChainAccountRequestSchema #8627

Merged

Madhulearn mentioned this issue Jun 20, 2023

Prepare Lisk SDK v6.0.0 for rc #7226

Closed

Madhulearn modified the milestones: Sprint 97, Sprint 98 Jun 20, 2023

ishantiw closed this as completed Jun 23, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Chain ID length not validated in interoperability endpoints #8604

Chain ID length not validated in interoperability endpoints #8604

ishantiw commented Jun 16, 2023

Chain ID length not validated in interoperability endpoints #8604

Chain ID length not validated in interoperability endpoints #8604

Comments

ishantiw commented Jun 16, 2023

Description

Affected version