From ff410c0bda6f1f2b0816ed09e738281bd83274e0 Mon Sep 17 00:00:00 2001 From: memosr Date: Sat, 6 Jun 2026 09:49:55 +0300 Subject: [PATCH] fix(security): enforce HTTPS for rpcUrl in validation config schema The README at line 169 documents rpcUrl as an "HTTPS RPC endpoint", but the Zod schema at src/lib/config-schemas.ts:78 used z.string().url() which accepts http://, ws://, and wss:// without complaint. For a governance signing tool that simulates state diffs over the provided RPC, an HTTP endpoint allows a network-positioned attacker to MITM the simulation response. Signers would see and approve a hash derived from attacker-supplied state, while the actual chain state remains untouched until the malicious transaction lands. Added a .refine() check that enforces the https:// scheme. The error message echoes the offending URL so operators get immediate, actionable feedback rather than a generic "invalid config" failure. The existing z.string().url() check is preserved so malformed URLs are still rejected with the standard Zod error. --- src/lib/config-schemas.ts | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/lib/config-schemas.ts b/src/lib/config-schemas.ts index 116bc59..92f91c3 100644 --- a/src/lib/config-schemas.ts +++ b/src/lib/config-schemas.ts @@ -75,7 +75,10 @@ export const TaskOriginValidationConfigSchema = z.object({ export const TaskConfigSchema = z.object({ cmd: z.string(), ledgerId: z.number().int().nonnegative(), - rpcUrl: z.string().url().min(1), + rpcUrl: z.string().url().min(1).refine( + (val) => val.startsWith('https://'), + (val) => ({ message: `rpcUrl must use HTTPS (got: ${val})` }) + ), expectedDomainAndMessageHashes: ExpectedHashesSchema, stateOverrides: z.array(StateOverrideSchema), stateChanges: z.array(StateChangeSchema),