Do not MERGE : Audit Fixes 10: Insufficient validation of the input URLs

framework/packages/abstract-std/Cargo.toml

@@ -37,6 +37,7 @@ anybuf = { workspace = true }
 
 ## Stringify function names
 function_name = { version = "0.3.0" }
+url = "2.5.4"
 
 [target.'cfg(not(target_arch = "wasm32"))'.dependencies]
 workspace-hack = { version = "0.1", path = "../../workspace-hack" }

framework/packages/abstract-std/src/objects/validation/error.rs

@@ -31,6 +31,9 @@ pub enum ValidationError {
     )]
     LinkContainsDangerousCharacters {},
 
+    #[error("link is not a valid URL according to the url crate. Error: {0}")]
+    LinkInvalidUrl(url::ParseError),
+
     #[error("title/gov-type too short, must be at least {0} characters")]
     TitleInvalidShort(usize),
 

framework/packages/abstract-std/src/objects/validation/verifiers.rs

@@ -1,3 +1,5 @@
+use url::Url;
+
 use super::ValidationError;
 
 pub(crate) const MIN_DESC_LENGTH: usize = 1;
@@ -28,6 +30,8 @@ pub fn validate_link(link: Option<&str>) -> Result<(), ValidationError> {
             Err(ValidationError::LinkInvalidFormat {})
         } else if contains_dangerous_characters(link) {
             Err(ValidationError::LinkContainsDangerousCharacters {})
+        } else if let Err(e) = Url::parse(link) {
+            Err(ValidationError::LinkInvalidUrl(e))
         } else {
             Ok(())
         }
@@ -86,7 +90,8 @@ mod tests {
             case("://example.com"),
             case("example.com"),
             case("https://example.org/path?query=value"),
-            case("https:/example.com")
+            case("https:/example.com"),
+            case("http:///////////")
         )]
         fn invalid(input: &str) {
             assert!(validate_link(Some(input)).is_err());

framework/workspace-hack/Cargo.toml

@@ -66,7 +66,7 @@ serde = { version = "1", features = ["alloc", "derive"] }
 sha2 = { version = "0.10", features = ["oid"] }
 subtle = { version = "2", default-features = false, features = ["i128"] }
 syn-dff4ba8e3ae991db = { package = "syn", version = "1", features = ["extra-traits", "full", "visit", "visit-mut"] }
-syn-f595c2ba2a3f28df = { package = "syn", version = "2", features = ["extra-traits", "full", "visit-mut"] }
+syn-f595c2ba2a3f28df = { package = "syn", version = "2", features = ["extra-traits", "fold", "full", "visit", "visit-mut"] }
 tendermint-proto-d585fab2519d2d1 = { package = "tendermint-proto", version = "0.38" }
 tendermint-proto-f645eb7eb1285ab4 = { package = "tendermint-proto", version = "0.39", features = ["std"] }
 zeroize = { version = "1" }
@@ -98,6 +98,7 @@ either = { version = "1" }
 elliptic-curve = { version = "0.13", default-features = false, features = ["digest", "hazmat", "pem", "serde", "std"] }
 ff = { version = "0.13", default-features = false, features = ["alloc"] }
 flex-error = { version = "0.4", default-features = false, features = ["eyre_tracer"] }
+form_urlencoded = { version = "1" }
 futures = { version = "0.3" }
 futures-channel = { version = "0.3", features = ["sink"] }
 futures-core = { version = "0.3" }
@@ -125,6 +126,7 @@ num-rational = { version = "0.4", features = ["num-bigint-std", "serde"] }
 num-traits = { version = "0.2", features = ["i128", "libm"] }
 once_cell = { version = "1" }
 p256 = { version = "0.13", features = ["serde"] }
+percent-encoding = { version = "2" }
 primeorder = { version = "0.13", default-features = false, features = ["serde"] }
 regex = { version = "1" }
 regex-automata = { version = "0.4", default-features = false, features = ["dfa-onepass", "hybrid", "meta", "nfa", "perf", "unicode"] }
@@ -176,6 +178,7 @@ either = { version = "1" }
 elliptic-curve = { version = "0.13", default-features = false, features = ["digest", "hazmat", "pem", "serde", "std"] }
 ff = { version = "0.13", default-features = false, features = ["alloc"] }
 flex-error = { version = "0.4", default-features = false, features = ["eyre_tracer"] }
+form_urlencoded = { version = "1" }
 futures = { version = "0.3" }
 futures-channel = { version = "0.3", features = ["sink"] }
 futures-core = { version = "0.3" }
@@ -203,6 +206,7 @@ num-rational = { version = "0.4", features = ["num-bigint-std", "serde"] }
 num-traits = { version = "0.2", features = ["i128", "libm"] }
 once_cell = { version = "1" }
 p256 = { version = "0.13", features = ["serde"] }
+percent-encoding = { version = "2" }
 primeorder = { version = "0.13", default-features = false, features = ["serde"] }
 regex = { version = "1" }
 regex-automata = { version = "0.4", default-features = false, features = ["dfa-onepass", "hybrid", "meta", "nfa", "perf", "unicode"] }
@@ -215,7 +219,6 @@ serde_json = { version = "1", features = ["alloc", "raw_value"] }
 signature = { version = "2", default-features = false, features = ["digest", "rand_core", "std"] }
 smallvec = { version = "1", default-features = false, features = ["const_new"] }
 spki = { version = "0.7", default-features = false, features = ["pem", "std"] }
-syn-f595c2ba2a3f28df = { package = "syn", version = "2", default-features = false, features = ["fold", "visit"] }
 tendermint = { version = "0.38", features = ["secp256k1"] }
 time = { version = "0.3", features = ["macros", "parsing"] }
 tokio-stream = { version = "0.1", features = ["net"] }
@@ -253,6 +256,7 @@ either = { version = "1" }
 elliptic-curve = { version = "0.13", default-features = false, features = ["digest", "hazmat", "pem", "serde", "std"] }
 ff = { version = "0.13", default-features = false, features = ["alloc"] }
 flex-error = { version = "0.4", default-features = false, features = ["eyre_tracer"] }
+form_urlencoded = { version = "1" }
 futures = { version = "0.3" }
 futures-channel = { version = "0.3", features = ["sink"] }
 futures-core = { version = "0.3" }
@@ -280,6 +284,7 @@ num-rational = { version = "0.4", features = ["num-bigint-std", "serde"] }
 num-traits = { version = "0.2", features = ["i128", "libm"] }
 once_cell = { version = "1" }
 p256 = { version = "0.13", features = ["serde"] }
+percent-encoding = { version = "2" }
 primeorder = { version = "0.13", default-features = false, features = ["serde"] }
 regex = { version = "1" }
 regex-automata = { version = "0.4", default-features = false, features = ["dfa-onepass", "hybrid", "meta", "nfa", "perf", "unicode"] }
@@ -330,6 +335,7 @@ either = { version = "1" }
 elliptic-curve = { version = "0.13", default-features = false, features = ["digest", "hazmat", "pem", "serde", "std"] }
 ff = { version = "0.13", default-features = false, features = ["alloc"] }
 flex-error = { version = "0.4", default-features = false, features = ["eyre_tracer"] }
+form_urlencoded = { version = "1" }
 futures = { version = "0.3" }
 futures-channel = { version = "0.3", features = ["sink"] }
 futures-core = { version = "0.3" }
@@ -357,6 +363,7 @@ num-rational = { version = "0.4", features = ["num-bigint-std", "serde"] }
 num-traits = { version = "0.2", features = ["i128", "libm"] }
 once_cell = { version = "1" }
 p256 = { version = "0.13", features = ["serde"] }
+percent-encoding = { version = "2" }
 primeorder = { version = "0.13", default-features = false, features = ["serde"] }
 regex = { version = "1" }
 regex-automata = { version = "0.4", default-features = false, features = ["dfa-onepass", "hybrid", "meta", "nfa", "perf", "unicode"] }
@@ -369,7 +376,6 @@ serde_json = { version = "1", features = ["alloc", "raw_value"] }
 signature = { version = "2", default-features = false, features = ["digest", "rand_core", "std"] }
 smallvec = { version = "1", default-features = false, features = ["const_new"] }
 spki = { version = "0.7", default-features = false, features = ["pem", "std"] }
-syn-f595c2ba2a3f28df = { package = "syn", version = "2", default-features = false, features = ["fold", "visit"] }
 tendermint = { version = "0.38", features = ["secp256k1"] }
 time = { version = "0.3", features = ["macros", "parsing"] }
 tokio-stream = { version = "0.1", features = ["net"] }