Input Validation on Generated Token List (#4026)

* Add input validation on the generated go code * Change denylist and comment associated with it * Add changes to the text file and more restrictive chars * Removing unnecessary async code --------- Co-authored-by: Maxwell Dulin <strikeout@maxwells-mbp.lan> Co-authored-by: Maxwell Dulin <strikeout@Maxwells-MacBook-Pro.local>
wormhole-foundation · Jul 29, 2024 · cf2c439 · cf2c439
1 parent f3e6a93
commit cf2c439
Showing 1 changed file with 81 additions and 5 deletions.
diff --git a/node/hack/governor/src/index.ts b/node/hack/governor/src/index.ts
@@ -94,6 +94,7 @@ axios
     var addedTokens = [];
     var removedTokens = [];
     var changedSymbols = [];
+    var failedInputValidationTokens = [];
     var newTokensCount = 0;
 
     for (let chain in res.data.AllTime) {
@@ -136,8 +137,8 @@ axios
                   await (async () => {
                     const provider = new JsonRpcProvider(
                       new Connection({
-                        // fullnode: "https://fullnode.mainnet.sui.io",
-                        fullnode: "https://sui-mainnet.g.allthatnode.com/full/json_rpc",
+                         fullnode: "https://fullnode.mainnet.sui.io",
+                        //fullnode: "https://sui-mainnet.g.allthatnode.com/full/json_rpc",
                       })
                     );
                     const result = await getOriginalAssetSui(
@@ -162,6 +163,12 @@ axios
                   continue;
                 }
               }
+
+              // If the character list is violated, then skip the coin. The error is logged in the function if something happens to have some sort of check on it.
+              if(!(safetyCheck(chain, wormholeAddr, data.Symbol, data.CoinGeckoId, data.TokenDecimals, data.TokenPrice, data.Address, notional))){
+                failedInputValidationTokens.push(chain + "-" + wormholeAddr + "-" + data.symbol)
+                continue; 
+              }
             }
 
             // This is a new token
@@ -196,7 +203,7 @@ axios
               //   });
               // }
             }
-
+            
             content +=
               "\t{ chain: " +
               chain +
@@ -253,7 +260,10 @@ axios
     changedContent += "\n\nTokens removed = " + removedTokens.length + ":\n<WH_chain_id>-<WH_token_addr>-<token_symbol>\n\n";
     changedContent += JSON.stringify(removedTokens, null, 1);
     changedContent += "\n\nTokens with changed symbols = " + changedSymbols.length + ":\n<WH_chain_id>-<WH_token_addr>-<old_token_symbol>-><new_token_symbol>\n\n";
-    changedContent += JSON.stringify(changedSymbols, null, 1);
+
+    changedContent += "\n\nTokens with invalid symbols = " + failedInputValidationTokens.length + ":\n<WH_chain_id>-<WH_token_addr>-<token_symbol>\n\n";
+    changedContent += JSON.stringify(failedInputValidationTokens, null, 1);
+
     changedContent += "\n\nTokens with significant price drops (>" + PriceDeltaTolerance + "%) = " + significantPriceChanges.length + ":\n\n"
     changedContent += JSON.stringify(significantPriceChanges, null, 1);
     changedContent += "\n```";
@@ -290,5 +300,71 @@ axios
     );
   })
   .catch((error) => {
-    console.error(error);
+    console.error("Request error:", error);
   });
+
+
+/*
+  Perform type checks on the incoming values
+  Check for a denylist set of characters
+
+  If either of these fail, we reject adding the token.
+
+  Example data: 30 000000000000000000000000b5c457ddb4ce3312a6c5a2b056a1652bd542a208 O404 omni404 18 1128.69 0xb5c457ddb4ce3312a6c5a2b056a1652bd542a208 7.4832146999999996
+*/
+function safetyCheck(chain, wormholeAddr, symbol, coinGeckoId, tokenDecimals, tokenPrice, address, notional)  : boolean{
+
+  if(isNaN(chain)){
+    console.log("Invalid chain ID ", chain, " provided")
+    return false; 
+  }
+
+  if(inputHasInvalidChars(wormholeAddr)){
+    console.log("Invalid wormhole address ", wormholeAddr, " provided")
+    return false; 
+  }
+
+  if(inputHasInvalidChars(symbol)){
+    console.log("Invalid token symbol ", symbol, " provided")
+    return false; 
+  }
+
+  if(inputHasInvalidChars(coinGeckoId)){
+    console.log("Invalid coin gecko id ", coinGeckoId, " provided")
+    return false; 
+  }
+
+  if(isNaN(tokenDecimals)){
+    console.log("Invalid token decimals ", tokenDecimals, " provided")
+    return false; 
+  }
+
+  if(isNaN(tokenPrice)){
+    console.log("Invalid token price ", tokenPrice, " provided")
+    return false; 
+  }
+
+  if(inputHasInvalidChars(address)){
+    console.log("Invalid address ", address, " provided")
+    return false; 
+  }
+  if(isNaN(notional)){
+    console.log("Invalid notional", notional, " provided")
+    return false; 
+  }
+
+  return true; 
+}
+
+// Checks whether an illegal character is present in the provided string
+// If a character is found then return true. Otherwise, return false. 
+function inputHasInvalidChars(input) : boolean{
+  var deny_list = ["\"", "%", "\n","\r", "\\","{","}","/","'","[","]","(",")"]
+  for(var char of deny_list) {
+    if(input.includes(char)){
+      return true; 
+    }
+  }
+
+  return false; 
+}