Tighten criteria for accepting Shelley or Byron addresses in REST API #3019
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
HeinrichApfelmus
force-pushed
the
HeinrichApfelmus/ADP-1033
branch
2 times, most recently
from
97da63f to
a9bf986
Compare
jonathanknowles
approved these changes
Nov 16, 2021
| tryBech32 text = do | ||
| (_, dp) <- either (const Nothing) Just (Bech32.decodeLenient text) | ||
| dataPartToBytes dp | ||
| tryBech32 = fmap CA.unAddress . CA.fromBech32 |
There was a problem hiding this comment.
By following CA.fromBech32 to its definition, I think I have confirmed that fromBech32 does indeed also use Bech32.decodeLenient. However, I just want to check: do we have regression test coverage to warn us if this ever changes?
(I ask, because it's just inside the realm of possibility that someone might change the definition of CA.fromBech32 to use Bech32.decode, rather than its more lenient variant.)
There was a problem hiding this comment.
Hm. I'm not sure if we should check this, for two reasons:
- The address format is standardized in CIP-0019 which lists the
cardano-addressespackage as a reference implementation. So, regardless of howCardano.Address.fromBech32is implemented, it must be correct — by virtue of being a reference. 😅 - Using
Bech32.decodeinstead ofBech32.decodeLenientwould actually not be a regression — as far as the definition and error correcting properties of the Bech32 encoding are concerned. 🙈 (BIP-0173: "A Bech32 string is at most 90 characters long and consists of […]"). Shelley addresses are typically 57 bytes in length (1 byte header + 28 bytes payment part + 28 bytes delegation part), so that would work out. The big exception are pointer addresses which can be arbitrarily long, but of which there are only a handful of instances on mainnet. 🙈
There was a problem hiding this comment.
Oh wait. Even the regular Shelley addresses would not quite fit into the 90 character limit, as 57 bytes = 456 bits = 92.5 * (5 bits), and one character encodes 5 bits.
There was a problem hiding this comment.
I have added a test that covers Shelly addresses with delegation part; these will start to fail if the 90 character limit is enforced. In this way, we are testing functionality while covering the formalities.
HeinrichApfelmus
force-pushed
the
HeinrichApfelmus/ADP-1033
branch
3 times, most recently
from
db395be to
dace3d1
Compare
|
Thanks for your review, Jonathan! 😊 Will merge unless there are further objections. |
rvl
reviewed
Nov 17, 2021
HeinrichApfelmus
force-pushed
the
HeinrichApfelmus/ADP-1033
branch
from
dace3d1 to
543e7a7
Compare
HeinrichApfelmus
force-pushed
the
HeinrichApfelmus/ADP-1033
branch
from
543e7a7 to
217c3cc
Compare
|
bors r+ |
iohk-bors bot
added a commit
that referenced
this pull request
Nov 18, 2021
3019: Tighten criteria for accepting Shelley or Byron addresses in REST API r=HeinrichApfelmus a=HeinrichApfelmus ### Summary It has become established usage that Byron addresses are associated with the Base58 encoding while Shelley addresses are associated with the Bech32 encoding. To catch more user errors, we now enforce this usage more strictly. Specifically, * Base58 encoded addresses are assumed to be Byron addresses and are additionally deserialized to CBOR to check whether they comply with the Byron address binary format. * We no longer accept Base16 encoded addresses. The swagger documentation has already highlighted that only Base58 and Bech32 are accepted. To avoid loss of funds, we strongly recommend to use Shelley addresses and the Bech32 encoding, as this encoding includes error detection and is more robust against misspellings and truncations. Relevant standards: [CIP 19 — Cardano addresses](https://github.com/cardano-foundation/CIPs/tree/master/CIP-0019). ### Comments (EDIT: correction) * Ideally, lay users would only see a single canonical version of every address. Unfortunately, we are not quite there yet, and this PR is only a partial improvement. For example, * Bech32-encoded addresses can represent Byron addresses instead of Shelley addresses. These would be shown in Base58 encoding in the blockchain explorer. * A sequence of bytes which is too long to be a valid Shelley address, but has a header-byte that indicates a Shelley address, may be truncated to the proper size. Put differently, seemingly invalid addresses are mapped to valid ones. Fortunately, the error correction inherent to Bech32 and reserving the Base58 encoding for Byron addresses (implemented in this PR) make this less likely to occur through user mistake. * A general clean up of our address data types would be nice, but is out of scope for this pull request. ### Issue Number ADP-1033, ADP-1280 Co-authored-by: Heinrich Apfelmus <[email protected]>
|
Build failed: I believe this is |
HeinrichApfelmus
force-pushed
the
HeinrichApfelmus/ADP-1033
branch
2 times, most recently
from
0424900 to
320bc22
Compare
piotr-iohk
reviewed
Nov 18, 2021
| , ( "wildcards", T.unpack wildcardsWalletName, parseErr ) | ||
| , ( "arabic", T.unpack arabicWalletName, encodeErr ) | ||
| , ( "kanji", T.unpack kanjiWalletName, encodeErr ) | ||
| , ( "polish", T.unpack polishWalletName, encodeErr ) | ||
| , ( "[]", "[]", encodeErr ) | ||
| , ( "no address", "", encodeErr2 ) | ||
| , ( "no address", "", encodeErr ) |
There was a problem hiding this comment.
Maybe it would be actually good to add addresses from the issue to that list?
There was a problem hiding this comment.
For reasons of privacy, I suppose that we do not want to add the addresses from the issue. However, I have added a randomly generated Base58 string that is not a valid Byron address.
Strictly speaking, the Bech32 standard defines that the encoded sequence may not be longer than 90 characters — but Shelley addresses can be longer than that. We can cover this case with a test that looks more at functionality and considers addresses with delegation part. Also changes suggested during review and additional tests. Co-authored-by: Jonathan Knowles <[email protected]>
HeinrichApfelmus
force-pushed
the
HeinrichApfelmus/ADP-1033
branch
from
320bc22 to
1461cc3
Compare
|
bors r+ |
|
Build succeeded: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
It has become established usage that Byron addresses are associated with the Base58 encoding while Shelley addresses are associated with the Bech32 encoding.
To catch more user errors, we now enforce this usage more strictly.
Specifically,
To avoid loss of funds, we strongly recommend to use Shelley addresses and the Bech32 encoding, as this encoding includes error detection and is more robust against misspellings and truncations.
Relevant standards: CIP 19 — Cardano addresses.
Comments
(EDIT: correction)
Issue Number
ADP-1033, ADP-1280