Security/input validation audit#179
Closed
Haroldwonder wants to merge 5 commits intoNetwalls:mainfrom
Closed
Conversation
…warnings - Document all acceptance criteria for reveal_prediction tests - Fix unused variable warning (commit_hash2) - Fix unused import warning (Ledger) - All 13 reveal tests passing successfully - Tests cover: valid reveal, invalid salt, double-reveal, after closing time - Add REVEAL_PREDICTION_TESTS.md with detailed test documentation
- Implemented uphold_dispute() and dismiss_dispute() functions - Added DisputeResolvedEvent for tracking resolution outcomes - Updated claim_winnings() to block claims during disputes - Added comprehensive test coverage: * test_uphold_dispute_happy_path - Tests dispute upheld with stake return * test_dismiss_dispute_happy_path - Tests dispute dismissed with stake slashing * test_uphold_dispute_not_disputed - Tests error when no dispute exists * test_dismiss_dispute_not_disputed - Tests error when no dispute exists * test_claim_winnings_blocked_during_dispute - Tests payout freeze during dispute * test_claim_winnings_after_dispute_dismissed - Tests claims work after dismissal * test_claim_winnings_after_dispute_upheld_corrected_outcome - Tests outcome correction All acceptance criteria met: Test dispute submission with stake Test dispute resolution (uphold/dismiss) Test payout freeze during dispute
- Updated rate limiting to use wallet address (publicKey) instead of just IP - Added separate rate limiters for different operation types: * authRateLimiter: 5 requests/min per wallet/IP * predictionRateLimiter: 10 requests/min per wallet * tradeRateLimiter: 30 requests/min per wallet - All rate-limited responses now include Retry-After header - Added comprehensive test suite for rate limiting - Updated routes to apply appropriate rate limiters: * Auth routes: authRateLimiter, challengeRateLimiter * Prediction routes: predictionRateLimiter * Trade routes: tradeRateLimiter * General routes: apiRateLimiter - Created documentation for rate limiting implementation Acceptance criteria met: Rate limit by wallet address (not just IP) Separate limits: auth (5/min), predictions (10/min), trades (30/min) Return Retry-After header in all rate-limited responses Files changed: - backend/src/middleware/rateLimit.middleware.ts (updated) - backend/src/routes/markets.routes.ts (updated) - backend/src/routes/predictions.ts (updated) - backend/src/middleware/__tests__/rateLimit.middleware.test.ts (new) - backend/RATE_LIMITING.md (new) - WALLET_RATE_LIMITING_IMPLEMENTATION.md (new)
- Add comprehensive sanitization utilities for XSS protection - Implement numeric validation with overflow protection - Add Stellar address format validation - Apply validation middleware to all API routes - Update services to use sanitization functions - Add unit tests for sanitization utilities - Document all security measures in SECURITY_AUDIT.md Acceptance Criteria Met: SQL injection protection via Prisma parameterization XSS sanitization for market titles/descriptions Numeric validation with no negatives and overflow protection Stellar address format validation (G + 55 base32 chars)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.