From a8b639b317f2888758aae9faa6a3f76fe9433c18 Mon Sep 17 00:00:00 2001
From: David Whittington <djwhitt@gmail.com>
Date: Wed, 15 Nov 2023 15:21:28 -0600
Subject: [PATCH] feat(validation): use regex to sanity check block hashes

The format sanity check functions are supposed to be lightweight and
performant and should therefore not exhaustively check the format of
transactions and blocks. However, we recently encountered an issue (in a
branch) where invalid blocks were being retrieved from a cache. A regex
check on any of the base64 encoded fields would have caught it. To
address that, this commit adds regex check on the block 'indep_hash' and
'previous_block' fields.
---
 src/lib/validation.ts | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/src/lib/validation.ts b/src/lib/validation.ts
index 187127e5..f2b65c90 100644
--- a/src/lib/validation.ts
+++ b/src/lib/validation.ts
@@ -25,24 +25,37 @@ import {
   PartialJsonTransaction,
 } from '../types.js';
 
-export const isValidTx = (id: string): boolean => {
+export const isValidBlockIndepHash = (id: string): boolean => {
+  return !!id.match(/^[a-zA-Z0-9_-]{64}$/);
+};
+
+export const isValidTxId = (id: string): boolean => {
   return !!id.match(/^[a-zA-Z0-9_-]{43}$/);
 };
 
-export const isValidDataId = isValidTx;
+export const isValidDataId = isValidTxId;
 
 export function sanityCheckBlock(block: PartialJsonBlock) {
   if (!block.indep_hash) {
     throw new Error("Invalid block: missing 'indep_hash'");
   }
 
+  if (!isValidBlockIndepHash(block.indep_hash)) {
+    throw new Error("Invalid block: invalid 'indep_hash' format");
+  }
+
   if (!block.height === undefined) {
     throw new Error("Invalid block: missing 'height'");
   }
 
+  if (typeof block.height !== 'number') {
+    throw new Error("Invalid block: 'height' must be a number");
+  }
+
   if (
     block.height !== 0 &&
-    (typeof block.previous_block !== 'string' || block.previous_block === '')
+    (typeof block.previous_block !== 'string' ||
+      !isValidBlockIndepHash(block.previous_block))
   ) {
     throw new Error("Invalid block: missing or invalid 'previous_block'");
   }
@@ -53,7 +66,7 @@ export function sanityCheckTx(tx: PartialJsonTransaction) {
     throw new Error("Invalid transaction: missing 'id'");
   }
 
-  if (!isValidTx(tx.id)) {
+  if (!isValidTxId(tx.id)) {
     throw new Error("Invalid transaction: invalid 'id' format");
   }
 }