Skip to content

Refactor currency validation and API calls with centralized utilities#705

Merged
jamespepper81 merged 2 commits into
alert-autofix-3from
claude/pensive-darwin-qSFOS
May 27, 2026
Merged

Refactor currency validation and API calls with centralized utilities#705
jamespepper81 merged 2 commits into
alert-autofix-3from
claude/pensive-darwin-qSFOS

Conversation

@jamespepper81
Copy link
Copy Markdown
Contributor

@jamespepper81 jamespepper81 commented May 27, 2026

Summary

This PR refactors currency handling and API calls across the codebase to improve security, maintainability, and consistency:

  1. Centralized currency validation: Introduced VALID_CURRENCIES constant in types.ts and added validation checks in all functions that accept currency parameters
  2. Extracted API client logic: Created fetchJson() utility function to consolidate HTTP request handling, error handling, and caching logic
  3. Improved input sanitization: Added encodeURIComponent() calls for all user-provided parameters in API URLs to prevent injection attacks
  4. Type safety improvements: Changed currency schema from generic string to enum in Zod schemas for better type checking
  5. Code cleanup: Removed redundant comments and consolidated error handling patterns

Type of Change

  • Refactor / cleanup
  • Bug fix (security improvements)

Changes by File

src/lib/types.ts

  • Converted Currency type from union to derived type using VALID_CURRENCIES constant
  • Ensures single source of truth for valid currencies

src/lib/blockchain-api.ts

  • Added currency validation in getHistoricalPrice() and getHistoricalPriceRange()
  • Replaced inline fetch() calls with fetchJson() utility
  • Added encodeURIComponent() for currency and days parameters
  • Improved numeric validation for days parameter

src/lib/market.ts

  • Added currency validation in getMarketPageData()
  • Replaced inline fetch() calls with fetchJson() utility
  • Added encodeURIComponent() for all URL parameters
  • Improved numeric parsing for range parameter

src/lib/mempool.ts

  • Improved numeric validation for startIndex parameter using Number.isFinite()

src/ai/flows/tax-report-flow.ts

  • Changed currency schema from z.string() to z.enum(['USD', 'EUR', 'GBP'])
  • Added currency validation in getDailyPrices()
  • Replaced inline fetch() calls with fetchJson() utility
  • Added encodeURIComponent() for currency parameter
  • Removed redundant comments

src/ai/flows/enhanced-tax-report-flow.ts

  • Changed currency schema from z.string() to z.enum(['USD', 'EUR', 'GBP'])
  • Added currency validation in getDailyPrices()
  • Replaced inline fetch() calls with fetchJson() utility
  • Added encodeURIComponent() for currency parameter

Test Plan

  • TypeScript type checking validates the new enum-based currency schema
  • Existing unit tests for blockchain-api and market functions continue to pass
  • Currency validation prevents invalid currencies from reaching API calls
  • URL encoding prevents special characters in parameters from causing API errors

Checklist

  • npm run typecheck passes
  • npm run lint passes
  • No breaking changes to public APIs
  • Centralized validation reduces code duplication

https://claude.ai/code/session_01U1iKew457tGYZEGdynvC3P

claude added 2 commits May 27, 2026 12:30
@claude
Fix SSRF protection bugs: NaN/Infinity in startIndex, percent-encodin…
e9652b4 
…g in path regex

The Copilot autofix in PR #704 introduced two issues:

1. mempool.ts: Math.max(0, Math.trunc(Number(startIndex))) produces NaN
   for undefined/non-numeric inputs and Infinity for Infinity input,
   creating invalid URLs like .../txs/NaN. Replace with Number.isFinite
   guard that safely falls back to 0.

2. blockchain-api.ts: ALLOWED_PATHS regex character class included %,
   allowing percent-encoded path traversal sequences like %2e%2e that
   bypass URL parser normalization. No caller uses percent-encoded
   pathnames, so removing % is safe defense-in-depth.

https://claude.ai/code/session_01U1iKew457tGYZEGdynvC3P
@claude
Harden SSRF protections: route all fetch calls through fetchJson, val…
aa9297a 
…idate currency and range

- Route getHistoricalPrice() through fetchJson() instead of raw fetch(),
  closing the main SSRF bypass that CodeQL flagged
- Add runtime VALID_CURRENCIES validation at all server action boundaries
  (blockchain-api, market, both tax report flows) to prevent query
  parameter injection via the currency field
- Replace raw fetch() in both tax report flow getDailyPrices() with
  fetchJson(), bringing them under the host/path allowlist
- Sanitize market page range parameter as a positive integer
- Use encodeURIComponent on all user-influenced query parameters
- Tighten Zod schemas from z.string() to z.enum for currency fields
- Export VALID_CURRENCIES const array from types.ts for shared validation

https://claude.ai/code/session_01U1iKew457tGYZEGdynvC3P
@jamespepper81
Copy link
Copy Markdown
Contributor Author

jamespepper81 commented May 27, 2026

@claude can you code review the pr 705 and make any changes required

@jamespepper81 jamespepper81 merged commit 560f028 into alert-autofix-3 May 27, 2026
@jamespepper81 jamespepper81 deleted the claude/pensive-darwin-qSFOS branch May 27, 2026 13:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jamespepper81 @claude