fix: add bounds validation to token metadata type guard (CWE-1236)#964
Merged
Ejirowebfi merged 2 commits intoJul 18, 2026
Merged
Conversation
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Beyond the description-length issue (#18), isTokenMetadata doesn't validate name length/content either, and doesn't validate that image/description/name are non-empty. Since this is the sole gate between arbitrary IPFS-pinned JSON and values the app treats as trusted, well-formed TokenMetadata throughout rendering, search/filter (tokenFilters.ts), and export code paths, any assumption those downstream consumers make about field shape beyond "is a string" is unverified. This is a narrower, related instance of the broader theme in #14/#18/#20 — the metadata read path is the weakest input-validation boundary in the app relative to how much of the UI trusts its output.
Tasks
Consolidate metadata validation into one well-tested function (potentially unifying with the fixes from #14 and #18) that checks: name non-empty and within a sane length, description within the length cap from #18, image matches isValidIPFSUri per #14.
Add unit tests for each rejected case (empty name, oversized name, non-IPFS image, oversized description) asserting getMetadata throws IPFSUploadError rather than returning a partially-invalid object.
Audit tokenFilters.ts and any search/sort code for assumptions about metadata field content that this stricter validation should now guarantee.
Acceptance Criteria
One consolidated, fully-tested metadata validator gates all IPFS-sourced metadata before it enters app state.
No downstream component needs its own defensive checks against malformed metadata shape (though defense-in-depth rendering safeguards from #18 remain).
closes #928