From dd039d9f2425ead5feef623e66e0872d107466fa Mon Sep 17 00:00:00 2001
From: Saleel <saleel@saleel.xyz>
Date: Mon, 9 Sep 2024 00:04:46 +0530
Subject: [PATCH] circuit: add range check for usernameIndex and fromIndex

---
 packages/circuits/src/twitter.circom    |  8 ++++++++
 packages/circuits/tests/twitter.test.ts | 15 +++++++++++++++
 2 files changed, 23 insertions(+)

diff --git a/packages/circuits/src/twitter.circom b/packages/circuits/src/twitter.circom
index 3b1b226..503c8c1 100644
--- a/packages/circuits/src/twitter.circom
+++ b/packages/circuits/src/twitter.circom
@@ -60,6 +60,10 @@ template TwitterVerifier(maxHeadersLength, maxBodyLength, n, k, exposeFrom) {
     if (exposeFrom) {
         signal input fromEmailIndex;
 
+        // Assert fromEmailIndex < emailHeaderLength
+        signal isFromIndexValid <== LessThan(log2Ceil(maxHeadersLength))([fromEmailIndex, emailHeaderLength]);
+        isFromIndexValid === 1;
+
         signal (fromEmailFound, fromEmailReveal[maxHeadersLength]) <== FromAddrRegex(maxHeadersLength)(emailHeader);
         fromEmailFound === 1;
 
@@ -75,6 +79,10 @@ template TwitterVerifier(maxHeadersLength, maxBodyLength, n, k, exposeFrom) {
     signal (twitterFound, twitterReveal[maxBodyLength]) <== TwitterResetRegex(maxBodyLength)(emailBody);
     twitterFound === 1;
 
+    // Assert twitterUsernameIndex < emailBodyLength
+    signal isTwitterIndexValid <== LessThan(log2Ceil(maxBodyLength))([twitterUsernameIndex, emailBodyLength]);
+    isTwitterIndexValid === 1;
+
     // Pack the username to int
     var maxTwitterUsernameLength = 21;
     signal twitterUsernamePacks[1] <== PackRegexReveal(maxBodyLength, maxTwitterUsernameLength)(twitterReveal, twitterUsernameIndex);
diff --git a/packages/circuits/tests/twitter.test.ts b/packages/circuits/tests/twitter.test.ts
index 6253740..d1a524c 100644
--- a/packages/circuits/tests/twitter.test.ts
+++ b/packages/circuits/tests/twitter.test.ts
@@ -60,6 +60,21 @@ describe("Twitter email test", function () {
     twitterVerifierInputs.twitterUsernameIndex = (Number((await twitterVerifierInputs).twitterUsernameIndex) + 1).toString();
 
     expect.assertions(1);
+
+    try {
+      const witness = await circuit.calculateWitness(twitterVerifierInputs);
+      await circuit.checkConstraints(witness);
+    } catch (error) {
+      expect((error as Error).message).toMatch("Assert Failed");
+    }
+  })
+
+  it("should fail if the twitterUsernameIndex is out of bounds", async function () {
+    const twitterVerifierInputs = await generateTwitterVerifierCircuitInputs(rawEmail, ethAddress);
+    twitterVerifierInputs.twitterUsernameIndex = (twitterVerifierInputs.emailBodyLength! + 1).toString();
+
+    expect.assertions(1);
+
     try {
       const witness = await circuit.calculateWitness(twitterVerifierInputs);
       await circuit.checkConstraints(witness);