fix(sdk-core): coins specific message sign validate

evanzbitgo · evanzbitgo · commit 14ac60ea3484 · 2025-08-09T11:17:39.000-07:00
SC-2419 TICKET: SC-2419
diff --git a/modules/account-lib/src/index.ts b/modules/account-lib/src/index.ts
@@ -431,6 +431,10 @@ export async function verifyMessage(
     const messageBuilder = messageBuilderFactory.getMessageBuilder(messageStandardType);
     messageBuilder.setPayload(messageRaw);
     const message = await messageBuilder.build();
+    const isValidRawMessage = message.verifyRawMessage(messageRaw);
+    if (!isValidRawMessage) {
+      return false;
+    }
     const isValidMessageEncoded = await message.verifyEncodedPayload(messageEncoded, metadata);
     if (!isValidMessageEncoded) {
       return false;
diff --git a/modules/account-lib/test/unit/verifyMessage.ts b/modules/account-lib/test/unit/verifyMessage.ts
@@ -53,6 +53,20 @@ describe('verifyMessage', () => {
       );
       should.equal(result, false);
     });
+
+    it('should return false if encoded payload verification fails', async () => {
+      const coinName = 'eth';
+      const messageRaw = testnetMessageRaw;
+      const invalidEncodedHex = '0123456789abcdef'; // Invalid encoded payload
+
+      const result = await accountLib.verifyMessage(
+        coinName,
+        messageRaw,
+        invalidEncodedHex,
+        MessageStandardType.EIP191,
+      );
+      should.equal(result, false);
+    });
   });
 
   describe('CIP8 Message', function () {
@@ -86,5 +100,26 @@ describe('verifyMessage', () => {
       );
       should.equal(result, true);
     });
+
+    it('should return false when raw message validation fails for ADA', async () => {
+      const coinName = 'ada';
+      const invalidMessageRaw = 'Invalid ADA message format';
+      cip8MessageBuilder.setPayload(testnetMessageRaw);
+      cip8MessageBuilder.addSigner(adaTestnetOriginAddress);
+      const message = await cip8MessageBuilder.build();
+      const messageEncodedHex = (await message.getSignablePayload()).toString('hex');
+
+      const metadata = {
+        signers: [adaTestnetOriginAddress],
+      };
+      const result = await accountLib.verifyMessage(
+        coinName,
+        invalidMessageRaw,
+        messageEncodedHex,
+        MessageStandardType.CIP8,
+        metadata,
+      );
+      should.equal(result, false);
+    });
   });
 });
diff --git a/modules/sdk-coin-ada/src/lib/messages/cip8/cip8Message.ts b/modules/sdk-coin-ada/src/lib/messages/cip8/cip8Message.ts
@@ -86,6 +86,27 @@ export class Cip8Message extends BaseMessage {
     return signablePayloadHex === messageEncodedHex;
   }
 
+  /**
+   * Verifies whether a raw message meets CIP-8 specific requirements for Midnight Glacier Drop claims
+   * Only allows messages that match the exact Midnight Glacier Drop claim format
+   * @param rawMessage The raw message content to verify as a string
+   * @returns True if the raw message matches the expected Midnight Glacier Drop claim format, false otherwise
+   * @example
+   * ```typescript
+   * // Valid format: "STAR 100 to addr1abc123... 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b"
+   * const message = await builder.build();
+   * const isValid = message.verifyRawMessage("STAR 100 to addr1xyz... 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b");
+   * // Returns true only for properly formatted Midnight Glacier Drop claims
+   * ```
+   */
+  verifyRawMessage(rawMessage: string): boolean {
+    const MIDNIGHT_TNC_HASH = '31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b';
+    const MIDNIGHT_GLACIER_DROP_CLAIM_MESSAGE_TEMPLATE = `STAR \\d+ to addr(?:1|_test1)[a-z0-9]{50,} ${MIDNIGHT_TNC_HASH}`;
+
+    const regex = new RegExp(`^${MIDNIGHT_GLACIER_DROP_CLAIM_MESSAGE_TEMPLATE}$`, 's');
+    return regex.test(rawMessage);
+  }
+
   /**
    * Validates required fields and returns common setup objects
    * @private
diff --git a/modules/sdk-coin-ada/test/resources/cip8Resources.ts b/modules/sdk-coin-ada/test/resources/cip8Resources.ts
@@ -45,4 +45,33 @@ export const cip8TestResources = {
   signablePayloads: {
     simple: 'a0', // Example CBOR hex for simple message (will be replaced with actual values)
   },
+
+  // Midnight Glacier Drop claim message test data
+  midnightGlacierDrop: {
+    validMessages: {
+      mainnet:
+        'STAR 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b',
+      testnet:
+        'STAR 250 to addr_test1qpxecfjurjtcnalwy6gxcqzp09je55gvfv79hghqst8p7p6dnsn9c8yh38m7uf5sdsqyz7t9nfgscjeutw3wpqkwrursutfm7h 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b',
+    },
+    invalidMessages: {
+      missingStarPrefix:
+        '100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b',
+      invalidNumber:
+        'STAR abc to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b',
+      invalidAddress: 'STAR 100 to invalid_address 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b',
+      shortAddress: 'STAR 100 to addr1short 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b',
+      wrongHash:
+        'STAR 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an wronghashhere',
+      missingHash:
+        'STAR 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an',
+      extraContent:
+        'STAR 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b extra content',
+      caseSensitive:
+        'star 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b',
+    },
+    tnc: {
+      hash: '31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b',
+    },
+  },
 };
diff --git a/modules/sdk-coin-ada/test/unit/messages/cip8/cip8Message.ts b/modules/sdk-coin-ada/test/unit/messages/cip8/cip8Message.ts
@@ -154,4 +154,111 @@ describe('Cip8Message', function () {
       should.throws(() => message.getBroadcastableSignatures(), /Payload is required to build a CIP8 message/);
     });
   });
+
+  describe('verifyRawMessage', function () {
+    it('should return true for valid Midnight Glacier Drop claim message', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const validMessage =
+        'STAR 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b';
+
+      const result = message.verifyRawMessage(validMessage);
+      result.should.be.true();
+    });
+
+    it('should return true for valid Midnight Glacier Drop claim message with testnet address', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const validTestnetMessage =
+        'STAR 250 to addr_test1qpxecfjurjtcnalwy6gxcqzp09je55gvfv79hghqst8p7p6dnsn9c8yh38m7uf5sdsqyz7t9nfgscjeutw3wpqkwrursutfm7h 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b';
+
+      const result = message.verifyRawMessage(validTestnetMessage);
+      result.should.be.true();
+    });
+
+    it('should return false for message without STAR prefix', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const invalidMessage =
+        '100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b';
+
+      const result = message.verifyRawMessage(invalidMessage);
+      result.should.be.false();
+    });
+
+    it('should return false for message with invalid number format', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const invalidMessage =
+        'STAR abc to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b';
+
+      const result = message.verifyRawMessage(invalidMessage);
+      result.should.be.false();
+    });
+
+    it('should return false for message with invalid address format', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const invalidMessage =
+        'STAR 100 to invalid_address 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b';
+
+      const result = message.verifyRawMessage(invalidMessage);
+      result.should.be.false();
+    });
+
+    it('should return false for message with short address', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const invalidMessage = 'STAR 100 to addr1short 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b';
+
+      const result = message.verifyRawMessage(invalidMessage);
+      result.should.be.false();
+    });
+
+    it('should return false for message with wrong TnC hash', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const invalidMessage =
+        'STAR 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an wronghashhere';
+
+      const result = message.verifyRawMessage(invalidMessage);
+      result.should.be.false();
+    });
+
+    it('should return false for message with missing TnC hash', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const invalidMessage =
+        'STAR 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an';
+
+      const result = message.verifyRawMessage(invalidMessage);
+      result.should.be.false();
+    });
+
+    it('should return false for message with extra content', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const invalidMessage =
+        'STAR 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b extra content';
+
+      const result = message.verifyRawMessage(invalidMessage);
+      result.should.be.false();
+    });
+
+    it('should return false for empty message', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const emptyMessage = '';
+
+      const result = message.verifyRawMessage(emptyMessage);
+      result.should.be.false();
+    });
+
+    it('should return false for completely different message format', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const differentMessage = 'Hello, this is a regular message';
+
+      const result = message.verifyRawMessage(differentMessage);
+      result.should.be.false();
+    });
+
+    it('should handle case sensitivity correctly', function () {
+      const message = new Cip8Message(createDefaultMessageOptions());
+      const caseInsensitiveMessage =
+        'star 100 to addr1qxy2lshz9na88lslkj8gzd0y7t9h8j7jr0sgg30qnrylvfx4u2hwvqalq5fj9vmhxf06jgz0zt2j2qxjmzwf3rhqzqsehw0an 31a6bab50a84b8439adcfb786bb2020f6807e6e8fda629b424110fc7bb1c6b8b';
+
+      const result = message.verifyRawMessage(caseInsensitiveMessage);
+      result.should.be.false(); // Should be case sensitive
+    });
+  });
 });
diff --git a/modules/sdk-core/src/account-lib/baseCoin/messages/baseMessage.ts b/modules/sdk-core/src/account-lib/baseCoin/messages/baseMessage.ts
@@ -180,4 +180,20 @@ export abstract class BaseMessage implements IMessage {
     }
     return signablePayloadHex === messageEncodedHex;
   }
+
+  /**
+   * Verifies whether a raw message payload meets coin-specific format requirements
+   * Base implementation accepts all messages - subclasses should override for specific validation
+   * @param rawMessage The raw message content to verify as a string
+   * @returns True if the raw message is valid and can be safely processed, false otherwise
+   * @example
+   * ```typescript
+   * // Base implementation always returns true - allows any message format
+   * const isValid = message.verifyRawMessage("Any message content");
+   * // Specific coin implementations override this for format validation
+   * ```
+   */
+  verifyRawMessage(rawMessage: string): boolean {
+    return true;
+  }
 }
diff --git a/modules/sdk-core/src/account-lib/baseCoin/messages/iface.ts b/modules/sdk-core/src/account-lib/baseCoin/messages/iface.ts
@@ -82,6 +82,20 @@ export interface IMessage {
    * @returns A Promise resolving to true if the message is valid, false otherwise
    */
   verifyEncodedPayload(messageEncodedHex: string, metadata?: Record<string, unknown>): Promise<boolean>;
+
+  /**
+   * Verifies whether a raw message payload meets coin-specific format requirements
+   * This method performs validation on the raw message content before signing
+   * @param rawMessage The raw message content to verify as a string
+   * @returns True if the raw message is valid and can be safely processed, false otherwise
+   * @example
+   * ```typescript
+   * const message = await builder.build();
+   * const isValid = message.verifyRawMessage("Hello World");
+   * // Returns true for most coins, false for coins with strict format requirements
+   * ```
+   */
+  verifyRawMessage(rawMessage: string): boolean;
 }
 
 /**
