Security/stellar address validation#524
Merged
1nonlypiece merged 2 commits intoJun 28, 2026
Merged
Conversation
|
@DevALVIN-24 Great news! 🎉 Based on an automated assessment of this PR, the linked Wave issue(s) no longer count against your application limits. You can now already apply to more issues while waiting for a review of this PR. Keep up the great work! 🚀 |
Contributor
Author
|
okay |
Contributor
|
stellar address validation tightened up, good. merged |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
closes #494
PR Description
📌 Description
This PR resolves a security/UI vulnerability where
AddressDisplayand explorer link helpers accepted arbitrary strings. A malformed or attacker-controlled value would be rendered directly into a Stellar Expert explorer href.We now enforce standard Stellar
StrKeyformat validation (specifically validating standard Ed25519 Account and Contract lengths, prefixes, and valid base32 charset usage) before creating explorer links. Invalid addresses are marked visually with a warning strike-through style and specificaria-labels, and explorer links are hidden for them. The user can still copy the address string verbatim if they need to debug the malformed key.🎯 Changes Made
isValidStellarAddressinsrc/utils/stellarAddress.tsto strictly validateGandCkeys (56 length + standard RFC4648 Base32 alphabet constraints).AddressDisplay.tsxto utilize this function. Visually strike-throughs and labels invalid addresses with a warning message, whilst hiding the explorer hyperlink.getExplorerAccountUrlandcontractExplorerUrlinsidesrc/utils/explorer.tsto return an empty string when the supplied address fails validation checks.isValidStellarAddressutility handling all major edge cases (wrong lengths, invalid prefix, lower-case, bad padding).AddressDisplay.test.tsxto handle testing of invalid marking rendering and assuring explorer links are conditionally hidden.design-system/documentation/address-validation.mdto reflect the new address formatting rules and implementations for developers.✅ Testing & Validation
100%line and branch coverage on the specifically modified functions/components. Tested edge cases include validG/Ckeys, empty strings, invalid characters (e.g.1and0), and invalid lengths.