fix: bound lovelace amounts to uint64 + keep payment-gate network server-owned#104
Merged
Merged
Conversation
…ver-owned Final low-risk re-derived slice from the closed #88 — two trust-boundary fixes. - core: LovelaceAmountSchema now caps length (20) + refines that the value is <= 2^64-1, so an over-uint64 amount string can't slip through to BigInt math. - sdk: createPaymentGate's 402 `accepted.network` now comes from server config (options.network), not the client-supplied payload.accepted.network — a client can no longer steer the network field in the verify payload. - Tests: over-uint64 rejection; payment-gate uses server-owned network despite an attacker-supplied mainnet/attacker accepted block. Config-compatible. Verified: typecheck clean, core 70 + root 457 tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Final low-risk re-derived slice from the closed #88 — two trust-boundary fixes.
LovelaceAmountSchemanow caps length (20) and refines that the value is<= 2^64-1, so an over-uint64 amount string can't slip through to BigInt math / downstream assumptions.createPaymentGate's 402accepted.networknow comes from server config (options.network), not the client-suppliedpayload.accepted.network— a client can no longer steer the network field in the verify payload. (This is the trust-boundary invariant the payment-security check guards.)cardano:mainnet/attackeracceptedblock.Risk
Low: config-compatible. Bounds an unbounded input + removes a client-controllable field from the server's verify payload. Verified: typecheck clean, core 70 + root 457 tests pass.
Completes the low-risk re-delivery batch from #88. (Remaining: the gated config/infra tier + the coupled CI checks + Lucid bumps.)
🤖 Generated with Claude Code