Input validation is broken for read-only address onboarding page

Question

Input validation is broken for read-only address onboarding page

beemeeupnow opened this issue a year ago · 0 comments

beemeeupnow commented a year ago

Discord Discussion Link

No response

What browsers are you seeing the problem on?

Chrome

What were you trying to do?

I was doing some testing and randomly performed what you might call manual fuzzing in the address field while on the read-only address onboarding page.

During this time, I managed to discover that values 42 characters long appeared to resolve and allowed continuing forward.

What did not work?

We are allowing 'asdfghjklgfsasdfaassfweofaacvvefadf.crypto' (or 'asdfghjklgfsasdfaassfweofaacvvefadf.wallet')

When I looked for that particular domain on the Unstoppable Domains site, it is not registered at all.

That made me realize that it must not actually come from domain resolution, but instead is being processed improperly.

I confirmed it by checking with a string of 42 period characters, which is also allowed: '..........................................'

Version

v0.52.0

Relevant log output

No response