Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: [audit] ZNS-1, ZNS-2, vulnerability due to lack of string validation #61

Merged
merged 19 commits into from
Oct 31, 2023
Merged

fix: [audit] ZNS-1, ZNS-2, vulnerability due to lack of string validation #61

merged 19 commits into from
Oct 31, 2023

Conversation

JamesEarle
Copy link
Collaborator

@JamesEarle JamesEarle commented Oct 25, 2023
edited
Loading

String validation now exists to only allow domain names to be alphanumeric characters that match [a-z0-9-]

By adding this, creating a single domain or subdomain with the name 0://wilder.2ld.3ld.4ld is not possible because the . character does not match this pattern. Any domain name that includes a ., a capital letter, or any special character like !()@#$%^&*? is not valid. We also no longer allow unicode characters for special things like emojis or letters with accent marks.

Validation function exists in StringUtils library

This addresses ZNS-1 in a way as well. Spoofing is still possible because people can mint domains like w1lder and wild3r which can't really stopped entirely unless we also disallow numbers. This change does, however, address capital letters and other possibly abusable special characters so domains like Wilder can't be created

@codecov
Copy link

codecov bot commented Oct 25, 2023
edited
Loading

Codecov Report

Merging #61 (5498344) into development (8f8bdff) will increase coverage by 0.00%.
The diff coverage is 99.49%.

Additional details and impacted files 
@@             Coverage Diff              @@
##           development      #61   +/-   ##
============================================
  Coverage        99.79%   99.79%           
============================================
  Files               11       11           
  Lines              493      498    +5     
  Branches           123      124    +1     
============================================
+ Hits               492      497    +5     
  Misses               1        1

@Whytecrowe Whytecrowe changed the title Audit fix: ZNS-2, vulnerability due to lack of string validation fix: [audit] ZNS-2, vulnerability due to lack of string validation Oct 25, 2023
@Whytecrowe Whytecrowe changed the title fix: [audit] ZNS-2, vulnerability due to lack of string validation fix: [audit] ZNS-1, ZNS-2, vulnerability due to lack of string validation Oct 26, 2023
@openzeppelin-code
Copy link

openzeppelin-code bot commented Oct 30, 2023
edited
Loading

fix: [audit] ZNS-1, ZNS-2, vulnerability due to lack of string validation

Generated at commit: 54983448803d054a5807c4204e624a8075d2c90e

🚨 Vulnerabilities Summary

Process Issues Results
Contract Inspector note
low
Total		 21
5
26
Dependency Checker Total 0

For more details view the full report in OpenZeppelin Code

@Whytecrowe Whytecrowe merged commit 5b97484 into development Oct 31, 2023
1 of 2 checks passed
@zero-devops
Copy link
Collaborator

🎉 This PR is included in version 0.6.7 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Whytecrowe Whytecrowe Whytecrowe left review comments

Assignees
No one assigned
Labels
released
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@JamesEarle @zero-devops @Whytecrowe