Skip to content
Snippets Groups Projects
Select Git revision
  • main default protected
  • release-1.4 protected
  • partial-merkle-tree
  • 3616-migrate-block-ledger
  • 3623-backport
  • hashed-time-locks
  • 3626-expose-simulator
  • 3640-mining-support
  • 3621-csv2yaml
  • eip712-mask
  • 3565-eip712-ethan
  • 3617-instrumentation-followup
  • database
  • database-benchmark-index
  • database-no-mutex
  • 3588-blockchain-specific-key-value-database
  • 3570-generalize-pki-types
  • 3600-fee-schedule-consistency
  • 3589-code-intelligence
  • proxy-data-entries
  • v1.4.1-snapshot
  • v1.4.1
  • v1.4.0
  • v1.4.0-alpha.1
  • v1.3.0
  • v1.3.0-rc.3
  • v1.2.13
  • v1.2.12
  • mexc-v1.2.11
  • v1.3.0-rc.2
  • v1.2.11
  • v1.2.10
  • v1.2.10-rc.8
  • v1.2.10-rc.7
  • v1.2.10-rc.6
  • v1.2.10-rc.5
  • v1.2.10-rc.4
  • v1.2.10-rc.3
  • v1.2.10-rc.2
  • mexc-v1.2.10-rc.2
40 results

accounts.go

  • Ethan Reesor's avatar
    4e23509d
    fix(prot): sanitize URL before database load or store [AC-3212] · 4e23509d
    Ethan Reesor authored
    Closes AC-3212. Strip everything except the authority and path from account URLs before loading from and storing to the database.
    
    Fuzz testing uncovered a bug: extra parameters of the URL, i.e. user info, query, and fragment fields, are passed through to the database. Because those fields are not validated, they may contain problematic characters, which can cause issues in the same way as AC-3135.
    
    ## Review Checklist
    
    **If any item is not complete, the merge request is not ready to be reviewed and must be marked `Draft:`.**
    
    - [x] The merge request title is in the format `<change type>(<change scope>): <short description> [<task id>]`
      - For example, `feat(cli): add QR code generation [AC-123]`
      - For details, see [CONTRIBUTING.md](/CONTRIBUTING.md)
    - [x] The description includes `Closes <jira task ID>` (or rarely `Updates <jira task ID>`)
    - [x] The change is fully validated by tests that are run during CI
      - In most cases this means a test in "validate.sh"
      - In some cases, a Go test may be acceptable
      - Validation is not applicable to things like documentation updates
      - Purely UI/UX changes can be manually validated, such as changes to human-readable output
      - For all other changes, automated validation tests are an absolute requirement unless a maintainer specifically explains why they are not in a comment on this merge request
    - [x] The change is marked with one of the validation labels
      - ~"validation::ci/cd" for changes validated by CI tests
      - ~"validation::manual" for changes validated by hand
      - ~"validation::deferred" for changes validated by a follow up merge request
      - ~"validation::not applicable" for changes where validation is not applicable
    
    ## Merge Checklist
    
    - [ ] CI is passing
    - [ ] Merge conflicts are resolved
    - [ ] All discussions are resolved
    
    Related to AC-3212
    4e23509d
    History
    fix(prot): sanitize URL before database load or store [AC-3212]
    Ethan Reesor authored
    Closes AC-3212. Strip everything except the authority and path from account URLs before loading from and storing to the database.
    
    Fuzz testing uncovered a bug: extra parameters of the URL, i.e. user info, query, and fragment fields, are passed through to the database. Because those fields are not validated, they may contain problematic characters, which can cause issues in the same way as AC-3135.
    
    ## Review Checklist
    
    **If any item is not complete, the merge request is not ready to be reviewed and must be marked `Draft:`.**
    
    - [x] The merge request title is in the format `<change type>(<change scope>): <short description> [<task id>]`
      - For example, `feat(cli): add QR code generation [AC-123]`
      - For details, see [CONTRIBUTING.md](/CONTRIBUTING.md)
    - [x] The description includes `Closes <jira task ID>` (or rarely `Updates <jira task ID>`)
    - [x] The change is fully validated by tests that are run during CI
      - In most cases this means a test in "validate.sh"
      - In some cases, a Go test may be acceptable
      - Validation is not applicable to things like documentation updates
      - Purely UI/UX changes can be manually validated, such as changes to human-readable output
      - For all other changes, automated validation tests are an absolute requirement unless a maintainer specifically explains why they are not in a comment on this merge request
    - [x] The change is marked with one of the validation labels
      - ~"validation::ci/cd" for changes validated by CI tests
      - ~"validation::manual" for changes validated by hand
      - ~"validation::deferred" for changes validated by a follow up merge request
      - ~"validation::not applicable" for changes where validation is not applicable
    
    ## Merge Checklist
    
    - [ ] CI is passing
    - [ ] Merge conflicts are resolved
    - [ ] All discussions are resolved
    
    Related to AC-3212
accounts.go 2.63 KiB