fix: validate OTC order create JSON

[VQToan]

Summary

• Reject non-object JSON bodies in POST /api/orders with a JSON 400 instead of raising on dot-get.
• Validate ttl_seconds before clamping it so malformed TTL values return a JSON 400.
• Add regression coverage for both crash cases plus the existing valid buy-order path.

Closes #5525

Validation

• /tmp/rustchain-otc-venv/bin/python -m unittest test_otc_bridge.OTCBridgeTestCase.test_create_buy_order test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_non_object_json test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_invalid_ttl_seconds -v
• /tmp/rustchain-otc-venv/bin/python -m py_compile otc_bridge.py test_otc_bridge.py
• git diff --check

Notes:

• Running the full existing otc-bridge/test_otc_bridge.py suite currently still hits an unrelated test_confirm_matched_order KeyError on ok; the focused regression tests for this fix pass.
• The repo-wide CI test job is currently failing outside this patch. The first CI run failed during collection due missing existing test dependencies; after locally adding those deps in a throwaway venv to inspect deeper, the suite exposed unrelated failures in CPU architecture detection, issue2310 path handling, setup miner artifact hash, and wallet review holds.

Bounty / payout

RTC wallet: RTCacb2dc6d434201337e3954997f08b3fb9569cb02

AI assistance note: this PR was prepared with AI assistance and manually validated before submission.

[github-actions]

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

• Non-doc PRs have a BCOS-L1 or BCOS-L2 label
• Doc-only PRs are exempt from BCOS tier labels when they only touch docs/**, *.md, or common image/PDF files
• New code files include an SPDX license header
• You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

[kongzi123]

Code Review: fix: validate OTC order create JSON

PR: #5534 | Author: VQToan | Files: 3 | +45/-1 lines

---

Summary

修复 OTC bridge 中两个 JSON 处理缺陷：① 非对象 JSON（如数组）导致 .get() 崩溃；② ttl_seconds 传入非法值（如 bool "abc"）时 int() 抛异常。两者均改为提前校验，返回清晰 400 错误。

---

Bug Analysis ✓

Root Cause 识别准确：

1. 非对象 JSON 崩溃：request.get_json(silent=True) 返回 None 时 data.get() 正常，但返回 列表/标量 时 .get() 本身不崩溃，真正的崩溃路径是后续 data.get("side") 返回非字典属性（如列表的 .get 不存在，或后续 str(data.get(...)) 对非字符串操作）。作者的 fix 正确地在入口做类型检查。

2. ttl_seconds 类型错误：原代码 int(data.get("ttl_seconds", ORDER_TTL_DEFAULT)) 对布尔值（True/False）调用 int() 会返回 1/0 而非报错，这可能掩盖逻辑错误。parse_order_ttl 的 bool 检查有效防止了这一隐式转型。

额外发现：

• parse_order_ttl(None) 返回默认值 ORDER_TTL_DEFAULT — 行为合理，但测试用例未覆盖此路径（test_create_order_rejects_invalid_ttl_seconds 传了 "abc" 但没测试 None 或 0）。

---

Fix Quality ✓

• parse_order_ttl 函数职责清晰，错误消息明确（"ttl_seconds must be an integer"）
• 早于 clamping 做校验 — 顺序正确，避免了先 clamp 后校验的边界条件混乱
• 新增两个回归测试覆盖两个 crash case，覆盖充分
• requirements.txt 的 5 个新依赖（flask-cors, aiohttp, PyYAML, matplotlib, seaborn）符合 PR 描述的 "missing CI/test dependencies"

建议（可选，不阻碍 LGTM）：

• test_create_order_rejects_invalid_ttl_seconds 可增加对 ttl_seconds: 0（合法 int）和 ttl_seconds: -1（逻辑上可能无效）的边界测试
• parse_order_ttl 对 float（如 1.5）调用 int() 会截断为 1，不会报错 — 可能是预期行为，但建议在 docstring 中说明

---

Security Impact

• 正面：修复了两处拒绝服务风险（畸形 JSON/TTL 导致 500 错误），提升了 API 健壮性
• 无负面影响：类型检查仅在验证失败时返回 400，不影响正常业务流程

---

Test Coverage ✓

两个新测试用例覆盖了核心修复路径：

• test_create_order_rejects_non_object_json — 覆盖数组 JSON
• test_create_order_rejects_invalid_ttl_seconds — 覆盖非整数 TTL

现有 test_create_buy_order 确保有效路径未被破坏。

---

Recommendation

LGTM — Bug 根因定位准确，修复方案简洁有效，测试覆盖充分。

Reward Estimation（Bounty #73）

• 标准代码审查（功能正确性验证）：5 RTC
• 额外发现：float TTL 被静默截断的潜在边界问题：+2 RTC
• 预估：7 RTC

[ZacharyZhang-NY]

Requesting changes on head 3f8c96cb5211242d2f7a0487541c8285a616a483.

Validation performed:

• git diff --check origin/main...HEAD -- otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py requirements.txt -> passed
• python -B -m py_compile otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py -> passed
• python -B -m pytest -q otc-bridge/test_otc_bridge.py -k "non_object_json or invalid_ttl_seconds or test_create_buy_order" --noconftest -> 3 passed
• Flask test-client probe for ttl_seconds coercion boundaries

Blocking issue: parse_order_ttl() still accepts non-integral JSON numbers because it calls int(value) after only rejecting bool. In the probe, ttl_seconds=1.5 returned 201 and was clamped into a one-hour order:

ttl_string 400 ttl_seconds must be an integer None
ttl_float 201 None 1.0
ttl_bool 400 ttl_seconds must be an integer None
ttl_valid 201 None 2.0

That leaves a lossy coercion path in the same validator this PR adds. Please reject floats with a fractional part before conversion, or accept only JSON integers and decimal integer strings, then add a regression for ttl_seconds: 1.5 returning 400.

Also, the requirements.txt additions are unrelated to #5525's OTC route validation and overlap with separate dependency/CI work. Please drop those from this PR so the change stays scoped to the OTC bridge fix.

[ZacharyZhang-NY]

Requesting changes on updated head 2cd98c9783870680619e16a270a0bbf7010983fc.

Validation performed:

• git diff --check origin/main...HEAD -- otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py -> passed
• python -B -m py_compile otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py -> passed
• python -B -m pytest -q otc-bridge/test_otc_bridge.py -k "non_object_json or invalid_ttl_seconds or test_create_buy_order" --noconftest -> 3 passed
• Flask test-client probe for TTL coercion boundaries

The unrelated requirements.txt changes are gone now; thanks for tightening the PR scope.

The remaining blocker is still the fractional-number TTL path. parse_order_ttl() calls int(value) after rejecting only bool, so JSON numbers such as 1.5 are silently truncated and accepted. In the updated head probe, ttl_seconds=1.5 still returned 201:

ttl_string 400 ttl_seconds must be an integer None
ttl_float 201 None None
ttl_bool 400 ttl_seconds must be an integer None
ttl_valid 201 None None

Please reject non-integral JSON numbers before conversion, or accept only native integers plus decimal integer strings, then add a regression asserting ttl_seconds: 1.5 returns 400.

[kekehanshujun]

Requesting changes on current head 2cd98c9783870680619e16a270a0bbf7010983fc.

The non-object JSON guard is good, and ttl_seconds: "abc" / boolean TTL values now return JSON 400s. However, parse_order_ttl() still accepts non-integral JSON numbers because it falls through to int(value) after only rejecting bool.

That means a client can send:

{"ttl_seconds": 1.5}

Python converts this with int(1.5) == 1, and the later clamp turns it into a valid one-hour order instead of returning the new ttl_seconds must be an integer response. This is still lossy pre-validation coercion in the same input boundary the PR is trying to harden.

I could not fetch a fresh worktree because GitHub HTTPS fetch timed out twice from this environment, but the current PR diff for head 2cd98c9 shows the active implementation:

def parse_order_ttl(value):
    if value is None:
        return ORDER_TTL_DEFAULT
    if isinstance(value, bool):
        raise ValueError("ttl_seconds must be an integer")
    try:
        return int(value)

The fix should reject fractional floats before conversion, or accept only JSON integers and decimal integer strings. Please also add a regression for ttl_seconds: 1.5 returning 400 {"error": "ttl_seconds must be an integer"}.

I did verify the patch shape with:

gh pr view 5534 -R Scottcjn/Rustchain --json headRefOid,reviews
gh pr diff 5534 -R Scottcjn/Rustchain --patch

Blocker remains on the current head until the fractional JSON number case is closed.

[Auren-Innovation]

📝 Code Review: PR #5534

✅ Summary

Reviewed OTC order JSON validation. Changes look good and well-tested.

💡 Assessment

• Quality: Standard
• Test Coverage: ✅ Adequate
• Code Style: ✅ Follows conventions
• Documentation: ✅ Clear (where applicable)

🎯 Recommended Reward: 8-12 RTC

✅ Verdict

APPROVE - Solid contribution that addresses the issue effectively.

---

Review by Herr Amano for Rustchain Bounties

[TJCurnutte]

I’m requesting changes on the TTL validation path.

What I validated on head 2cd98c9783870680619e16a270a0bbf7010983fc:

git diff --check origin/main...HEAD -- otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py
python3 -B -m py_compile otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py
cd otc-bridge
uv run --no-project --with flask --with flask-cors --with requests \
  python -B -m unittest \
  test_otc_bridge.OTCBridgeTestCase.test_create_buy_order \
  test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_non_object_json \
  test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_invalid_ttl_seconds -v

Those checks passed once the OTC Flask deps were provided. I also ran a Flask client probe against /api/orders:

array body              -> 400 {"error": "JSON object required"}
ttl_seconds="abc"      -> 400 {"error": "ttl_seconds must be an integer"}
ttl_seconds=true       -> 400 {"error": "ttl_seconds must be an integer"}
ttl_seconds=3600.5     -> 201 {"ok": true, ..., "expires_in_hours": 1.0}
ttl_seconds=3600       -> 201 {"ok": true, ..., "expires_in_hours": 1.0}

The remaining issue is parse_order_ttl() still does int(value). For a JSON numeric float like 3600.5, that silently truncates to 3600 and creates the order instead of rejecting a non-integer TTL. Since this PR is specifically hardening order JSON validation, that leaves the malformed numeric TTL case open.

Please reject non-integral JSON numbers before coercion and add a regression for ttl_seconds: 3600.5 (and keep the existing bool rejection).

[508704820]

OTC order create JSON validation. Verify: amount > 0, price > 0, no duplicate order IDs, proper input sanitization. — Xeophon (security review)

[BossChaos]

Code Review — Bounty #73

PR: fix: validate OTC order create JSON by @VQToan
Files changed: 2 (+40/-1)

Input Validation

• ✅ Type checking with isinstance() for JSON objects
• ⚠️ Using silent=True in get_json() — ensure null bodies are handled

OTC Bridge Security

• ✅ TTL validation added for OTC orders
• ✅ Input validation for OTC order parameters

Summary

This is a HIGH priority security-focused PR that appears to be well-structured. The changes add necessary validation and fix real issues in the codebase.

Wallet: 0xdaE5d307339074A24F579dB48e7c639359D94904

Reviewing under Bounty #73 — Code Review Bounty Program

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[BossChaos]

Code Review — Bounty #73

PR: fix: validate OTC order create JSON by @VQToan

Review

• 🔒 Security/validation improvement
• ✅ Input validation reviewed
• ✅ Error handling reviewed

Wallet: 0xdaE5d307339074A24F579dB48e7c639359D94904

Reviewing under Bounty #73 — Code Review Bounty Program

[jaxint]

LGTM! Thanks for contributing. Approved.

[508704820]

OTC order JSON validation + TTL sanity check. Good defensive fix. SECURITY NOTE: Ensure the validation also covers edge cases: (1) ttl_seconds = 0 or negative after clamping — should reject, not silently clamp to min. (2) JSON array body — should be rejected as non-object, verify the check handles this. (3) Content-Type header missing — verify API returns 415 not 500. — Xeophon (security review)

[508704820]

OTC order JSON validation + TTL sanity check. Good defensive fix. SECURITY NOTE: Ensure validation also covers edge cases: (1) ttl_seconds = 0 or negative after clamping - should reject, not silently clamp to min. (2) JSON array body - should be rejected as non-object, verify the check handles this. (3) Content-Type header missing - verify API returns 415 not 500. - Xeophon (security review)

[508704820]

Security Review ✅

Good input validation improvements:

1. JSON body required check - prevents None crash
2. dict type check - prevents array/string injection
3. parse_order_ttl() handles bool edge case (Python bool is subclass of int, so int(True)=1 silently)
4. Proper error messages with 400 status codes

Reviewed by Xeophon - Solana: Lt9nERv6VHsojw15LpFeiaabuphAggzfLF9sM9UXRrZ

[HCIE2054]

LGTM!

[VQToan]

Updated the PR to close the requested TTL validation blocker.\n\nChanges in latest head a927d27:\n- Reject non-integral JSON numeric TTL values like 3600.5 before int() conversion.\n- Added regression test test_create_order_rejects_fractional_ttl_seconds asserting 400 + ttl_seconds must be an integer.\n\nVerification run locally:\n- python3 -B -m py_compile otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py\n- git diff --check -- otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py\n- Focused unittest: test_create_buy_order, test_create_order_rejects_non_object_json, test_create_order_rejects_invalid_ttl_seconds, test_create_order_rejects_fractional_ttl_seconds -> 4 passed\n\nFull test_otc_bridge.py still has two existing failures unrelated to this patch in test_confirm_matched_order and test_legacy_money_schema_accepts_new_orders_and_trades; the PR-specific focused coverage passes.\n\nTransparency: AI-assisted with OpenAI Codex; I reviewed the diff and test output before pushing.

[VQToan]

CI update after latest push: the PR-specific TTL blocker is fixed, but the repository-wide test workflow still fails during test collection before reaching OTC tests because CI is missing unrelated dependencies:\n\n- aiohttp for tests/test_agent_economy_sdk.py\n- flask_cors for tests/test_faucet_service_wallet_validation.py\n- matplotlib for tests/test_hardware_visualizer.py and tests/test_pse_analyze_results.py\n\nI am leaving dependency changes out of this PR to keep the scope aligned with the earlier review request to remove unrelated requirements.txt edits. The focused OTC validation tests pass locally.

[HCIE2054]

LGTM!

[strongkeep-debug]

Approved current head a927d2715a252d78210682afe8f39f9f821e21fd for the scoped OTC create-order JSON/TTL validation fix.

The latest change closes the fractional TTL gap: parse_order_ttl() now rejects booleans, malformed strings, and non-integral JSON numbers before converting the value, while preserving the default TTL and integer/string-integer paths. The route also now cleanly rejects JSON arrays/non-object bodies before accessing dict methods.

Validation run on this head:

git diff --check origin/main...HEAD -- otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py
# passed

python -B -m py_compile otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py
# passed

python tools/bcos_spdx_check.py --base-ref origin/main
# passed

uv run --with flask --with flask-cors --with requests python -m unittest   test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_non_object_json   test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_invalid_ttl_seconds   test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_fractional_ttl_seconds -v
# 3 targeted tests passed

focused parse_order_ttl probe
# None/default and integer inputs accepted
# 'abc', bools, 3600.5, and '3600.5' reject with ttl_seconds must be an integer

I also ran the full test_otc_bridge.py file with the needed local test dependencies. Two older settlement tests still fail, but I reproduced those same two failures on current origin/main, so I am treating them as baseline failures outside this PR's JSON/TTL scope rather than regressions from this head.

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[VQToan]

Rebased this PR onto current upstream/main (93049b2) to resolve the merge conflict.\n\nKept the scoped OTC create-order JSON/TTL validation changes on the new head 7f06225:\n- reject non-object JSON before dict access\n- preserve JSON body required for missing/empty payloads\n- reject invalid, boolean, and fractional ttl_seconds values through parse_order_ttl()\n- keep the fractional TTL regression test\n\nLocal validation after rebase:\n- python3 -B -m py_compile otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py\n- git diff --check upstream/main...HEAD -- otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py\n- ../.venv/bin/python -B -m unittest test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_non_object_json test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_invalid_ttl_seconds test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_fractional_ttl_seconds -v\n\nAll targeted checks passed. Note: the older test_create_buy_order unittest now fails on the rebased code because upstream/main added required wallet_auth for order creation while that legacy unittest still posts an unsigned order; I did not change that unrelated baseline behavior in this PR.\n\nAI-assisted conflict resolution and validation.

[VQToan]

Follow-up on the re-run CI after the conflict fix: PR is mergeable and all non-CI-generic checks are passing.

The remaining failing GitHub test job is unrelated to this PR changed files. This branch only changes:

• otc-bridge/otc_bridge.py
• otc-bridge/test_otc_bridge.py

The failing assertions are both in tests/test_challenge_response_c_csprng.py against challenge_response.c:

• test_c_challenge_nonce_uses_os_csprng
• test_c_challenge_nonce_failure_is_fatal

Those files are outside the OTC JSON/TTL validation scope, so I am leaving them unchanged in this PR to keep the reviewed fix narrow.

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[HCIE2054]

LGTM!

[JeremyZeng77]

Reviewed the current rebased head 7f06225 for the OTC create-order JSON/TTL validation fix.

Validation performed:

• git diff --check origin/main...HEAD -- otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py
• python -B -m py_compile otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py
• cd otc-bridge && uv run --with flask --with flask-cors --with requests python -B -m unittest test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_non_object_json test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_invalid_ttl_seconds test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_fractional_ttl_seconds -v

Result: the three focused regression tests pass on the current head. The updated parse_order_ttl() now rejects booleans, malformed strings, and fractional JSON numbers before the existing min/max TTL clamp, and non-object JSON bodies return a JSON 400 instead of reaching dict access.

No new blocker found in the focused create-order validation paths I tested.

[JeremyZeng77]

I reviewed this OTC order JSON validation PR for the code review bounty and found a current-branch test failure in the stated verification set.

What I checked:

• The non-object JSON guard now returns a clean 400 before calling .get on non-dict values.
• parse_order_ttl rejects booleans, non-integer floats, and malformed TTL strings before clamping.
• The new non-object and invalid-TTL regression tests pass locally.

Verification I ran locally from otc-bridge/:

python -B -m unittest test_otc_bridge.OTCBridgeTestCase.test_create_buy_order test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_non_object_json test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_invalid_ttl_seconds -v

Result:

• test_create_order_rejects_non_object_json -> ok
• test_create_order_rejects_invalid_ttl_seconds -> ok
• test_create_buy_order -> ERROR

The failing valid buy-order path returns:

{"error":"wallet_must_be_native_rtc_address"}

so the test then raises KeyError: 'ok' when it expects a successful order response.

This means the PR's stated focused verification is no longer passing against the current branch. I would update the valid buy-order fixture to use a wallet/auth shape that satisfies the current native RTC wallet validation, or split this PR so the malformed JSON/TTL regression tests do not depend on an unrelated stale happy-path fixture.

Assessment: the JSON/TTL validation change looks useful, but the current test evidence is stale because one of the listed focused tests fails now.

[VQToan]

Updated the current head to address @JeremyZeng77 latest comment about stale focused verification.

New head: 4cc882d

Change:

• Updated test_create_buy_order to create a native RTC wallet from an Ed25519 public key and attach a valid wallet_auth signature for the current create_order validation path.
• The production OTC JSON/TTL validation code is unchanged; this only refreshes the happy-path unittest fixture after upstream added required wallet auth.

Local validation now passes for the reviewer-stated focused set:

• ../.venv/bin/python -B -m unittest test_otc_bridge.OTCBridgeTestCase.test_create_buy_order test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_non_object_json test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_invalid_ttl_seconds -v

Also passed:

• ../.venv/bin/python -B -m unittest test_otc_bridge.OTCBridgeTestCase.test_create_buy_order test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_non_object_json test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_invalid_ttl_seconds test_otc_bridge.OTCBridgeTestCase.test_create_order_rejects_fractional_ttl_seconds -v
• python3 -B -m py_compile otc-bridge/otc_bridge.py otc-bridge/test_otc_bridge.py
• git diff --check -- otc-bridge/test_otc_bridge.py

AI-assisted update; I reviewed the diff and test output before pushing.