fix: improved network & erc20 validation (#911)

TalismanSociety · Jul 6, 2023 · 9ac4932 · 9ac4932
1 parent 2f3c4c5
commit 9ac4932
Showing 1 changed file with 7 additions and 5 deletions.
diff --git a/apps/extension/src/core/domains/ethereum/helpers.ts b/apps/extension/src/core/domains/ethereum/helpers.ts
@@ -237,14 +237,16 @@ export const prepareTransaction = (
   return result
 }
 
+const testNoScriptTag = (text?: string) => !text?.toLowerCase().includes("<script")
+
 const schemaAddEthereumRequest = yup.object().shape({
   chainId: yup.string().required(),
-  chainName: yup.string().required(),
+  chainName: yup.string().required().max(100).test("noScriptTag", testNoScriptTag),
   nativeCurrency: yup
     .object()
     .shape({
-      name: yup.string().required(),
-      symbol: yup.string().min(2).max(6).required(),
+      name: yup.string().required().max(50).test("noScriptTag", testNoScriptTag),
+      symbol: yup.string().required().min(2).max(11).test("noScriptTag", testNoScriptTag),
       decimals: yup.number().required().integer(),
     })
     .required(),
@@ -281,8 +283,8 @@ const schemaWatchAssetRequest = yup.object().shape({
   options: yup
     .object()
     .shape({
-      address: yup.string().required(),
-      symbol: yup.string().min(2).max(11),
+      address: yup.string().required().test("ethAddress", isEthereumAddress),
+      symbol: yup.string().min(2).max(11).test("noScriptTag", testNoScriptTag),
       decimals: yup.number(),
       // ignore image if it doesn't pass security checks
       image: yup.string().transform((value) => (isSafeImageUrl(value) ? value : undefined)),