fix(satp-hermes): remove inverted condition bypassing Stage 3 commonBodyVerifier#4
Open
fix(satp-hermes): remove inverted condition bypassing Stage 3 commonBodyVerifier#4
Conversation
mn-ram
force-pushed
the
fix/satp-hermes-stage3-validation-bypass
branch
from
3e9b3a1 to
7b970e7
Compare
Signed-off-by: Rahul Tripathi <rahul@Rahuls-Mac-mini.local>
mn-ram
force-pushed
the
fix/satp-hermes-stage3-validation-bypass
branch
from
a348ac8 to
d6e7058
Compare
Signed-off-by: Rafael Belchior <rafael.belchior@tecnico.ulisboa.pt> fix(satp-hermes): fix getOAS Signed-off-by: Rafael Belchior <rafael.belchior@tecnico.ulisboa.pt> chore: update supported ledgers Signed-off-by: Rafael Belchior <rafael.belchior@tecnico.ulisboa.pt>
Signed-off-by: Rafael Belchior <rafael.belchior@tecnico.ulisboa.pt>
…acti#4150) Replaced vulnerable `pull_request_target` with `pull_request`. Wrapped `echo` arguments in quotes to guard against command injections. Signed-off-by: VRamakrishna <vramakr2@in.ibm.com>
Replace Promise.all with Promise.allSettled so a single plugin failure during shutdown does not abort HTTP/gRPC server cleanup. Log the plugin instance ID when a shutdown failure occurs. Fixes hyperledger-cacti#4160 Signed-off-by: mn-ram <235066282+mn-ram@users.noreply.github.com>
Signed-off-by: Dev10-sys <kalpanagola9897@gmail.com>
Consolidates 10 recent dependabot PRs (hyperledger-cacti#4228, hyperledger-cacti#4225, hyperledger-cacti#4224, hyperledger-cacti#4220, hyperledger-cacti#4219, and hyperledger-cacti#4218, hyperledger-cacti#4217, hyperledger-cacti#4214, hyperledger-cacti#4213, hyperledger-cacti#4210) into a single update. | Package | From | To | | --- | --- | --- | | [@angular/compiler](https://github.com/angular/angular) | 17.3.11 | 19.2.20 | | [@angular/core](https://github.com/angular/angular) | 17.3.11 | 19.2.20 | | [ajv](https://github.com/ajv-validator/ajv) | 8.17.1 | 8.18.0 | | [axios](https://github.com/axios/axios) | 1.13.4 | 1.15.0 | | [basic-ftp](https://github.com/patrickjuchli/basic-ftp) | 5.1.0 | 5.2.2 | | [diff](https://github.com/kpdecker/jsdiff) | - | (updated) | | [dompurify](https://github.com/cure53/DOMPurify) | 3.3.1 | 3.3.3 | | [fastify](https://github.com/fastify/fastify) | 4.28.1 | 5.8.3 | | [flatted](https://github.com/WebReflection/flatted) | 3.3.3 | 3.4.2 | | [immutable](https://github.com/immutable-js/immutable-js) | 4.3.7 | 4.3.8 | | [lodash](https://github.com/lodash/lodash) | 4.17.23 | 4.18.1 | | [markdown-it](https://github.com/markdown-it/markdown-it) | 14.1.0 | 14.1.1 | | [multer](https://github.com/expressjs/multer) | 1.4.5-lts.1 | 2.1.1 | | [picomatch](https://github.com/micromatch/picomatch) | - | (updated) | | [qs](https://github.com/ljharb/qs) | 6.13.0 | 6.14.2 | | [rollup](https://github.com/rollup/rollup) | 2.79.2 | 2.80.0 | | [simple-git](https://github.com/steveukx/git-js) | 3.19.1 | 3.32.3 | | [sjcl](https://github.com/bitwiseshiftleft/sjcl) | 1.0.8 | 1.0.9 | | [undici](https://github.com/nodejs/undici) | 7.8.0 | 7.24.0 | | [webpack](https://github.com/webpack/webpack) | 5.94.0 | 5.104.1 | | [yaml](https://github.com/eemeli/yaml) | 1.10.2 | 1.10.3 | All dependency updates from April 10-13, 2026 are included in this single commit. Supersedes PRs: hyperledger-cacti#4228, hyperledger-cacti#4225, hyperledger-cacti#4224, hyperledger-cacti#4220, hyperledger-cacti#4219, hyperledger-cacti#4218, hyperledger-cacti#4217, hyperledger-cacti#4214, hyperledger-cacti#4213, hyperledger-cacti#4210 Signed-off-by: Sandeep Nishad <sandeepn.official@gmail.com>
- Add pre-check step to display commit messages with line numbers and character counts - Fix config file reference from commitlint.config.mjs to commitlint.config.js - Add verbose logging and proper error handling - Fix shellcheck issues (use -r flag with read, proper variable quoting) - Increase header-max-length from 72 to 80 characters - Increase body-max-line-length from 80 to 102 characters - Increase footer-max-line-length from 80 to 102 characters This helps identify exactly which lines violate the character limits and provides more flexibility for detailed commit messages. Signed-off-by: Sandeep Nishad <sandeepn.official@gmail.com>
sandeepnRES
force-pushed
the
fix/satp-hermes-stage3-validation-bypass
branch
from
d6e7058 to
418e97e
Compare
The mintAsset, burnAsset, and assignAsset methods in Stage 3 services were calling persistLogEntry() and storeProof() without await, causing fire-and-forget promises that lead to unhandled rejections, silent proof loss, and potential duplicate blockchain transactions on crash recovery. Also fix the inverted condition in stage3ServerService that was bypassing commonBodyVerifier on every real request. The three server-side validation functions (checkCommitPreparationRequest, checkCommitFinalAssertionRequest, checkTransferCompleteRequest) wrapped the commonBodyVerifier call inside if (request.common == undefined), so all Stage 3 protocol checks (version, sequence number, session id, gateway pubkeys, hash chain integrity, message type) were skipped before critical blockchain operations. Aligns stage3-server-service with the other stage services that call commonBodyVerifier unconditionally. Fixes hyperledger-cacti#4167 Signed-off-by: mn-ram <235066282+mn-ram@users.noreply.github.com>
mn-ram
force-pushed
the
fix/satp-hermes-stage3-validation-bypass
branch
from
418e97e to
a264e78
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
if (request.common == undefined)guard that was silently skipping allcommonBodyVerifierprotocol checks in Stage 3 server-side validationstage3-server-service.tswith every other stage service that callscommonBodyVerifierunconditionallyFixes #3
Changes
Three functions in
stage3-server-service.tshadcommonBodyVerifierwrapped insideif (request.common == undefined), causing validation to be skipped on every real request:checkCommitPreparationRequest(beforemintAsset)checkCommitFinalAssertionRequest(beforeassignAsset)checkTransferCompleteRequest(before transfer completion)Removed the wrapping condition so validation runs unconditionally, matching stage1-server, stage2-server, and all client services.
Test plan
commonbody are now validatedcommonbody still throwSatpCommonBodyError