Skip to content

fix: add hex pattern validation to operator address in definitionSchema#222

Open
aly-obol wants to merge 4 commits into
mainfrom
fix/operator-address-hex-validation
Open

fix: add hex pattern validation to operator address in definitionSchema#222
aly-obol wants to merge 4 commits into
mainfrom
fix/operator-address-hex-validation

Conversation

@aly-obol

@aly-obol aly-obol commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds pattern: '^0x[a-fA-F0-9]{40}$' to operator address in definitionSchema, matching the validation already applied to validator addresses, splitter recipients, and every other address field in the schema.
  • Without this, non-hex strings like 0xGGGG... pass the SDK's AJV validation (only a length check existed via validateUniqueAddresses). The obol-api server-side @IsEthereumAddress() + getAddress() guards catch these before storage, so the practical impact is low.

Test plan

  • Existing tests pass (npm test)
  • Verify that createClusterDefinition with a non-hex operator address (e.g. 0xGGGG...GGGG) now throws a validation error from the SDK before hitting the API

Summary by CodeRabbit

  • Bug Fixes
    • Address validation has been relaxed to permit empty values alongside valid hexadecimal addresses. This change applies to operator and principal recipient address fields, enabling more flexible input handling in applicable workflows.

@aly-obol aly-obol requested a review from a team as a code owner June 10, 2026 20:08
@coderabbitai

coderabbitai Bot commented Jun 10, 2026

Copy link
Copy Markdown
Contributor

Review Change Stack

Warning

Review limit reached

@aly-obol, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 49 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 951af0d3-9a78-47df-9435-39ce1541ed1e

📥 Commits

Reviewing files that changed from the base of the PR and between 491aff0 and b00fc99.

📒 Files selected for processing (1)
  • src/schema.ts
📝 Walkthrough

Walkthrough

This PR relaxes address validation in two exported JSON schemas. The operators and principalSplitRecipients address fields now accept either empty strings or valid 40-character hex addresses, replacing strict hex-only patterns with optional-or-hex alternatives.

Changes

Address Validation Pattern Updates

Layer / File(s) Summary
Address validation pattern updates
src/schema.ts
The regex patterns for operators[*].address in definitionSchema (line 30) and principalSplitRecipients[*].address in ovmTotalSplitPayloadSchema (line 217) are changed from ^0x[a-fA-F0-9]{40}$ to `^(

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

  • anadi2311

Poem

A hop through the schemas so neat,
Where addresses now can retreat,
To empty or hex with a grin,
The validation lets both values in, 🐰✨
A flexible pattern, complete!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Title check ⚠️ Warning The title mentions 'add hex pattern validation' but the actual changes loosen validation by allowing empty strings alongside hex addresses, which is misleading. Revise the title to accurately reflect the change, such as: 'fix: allow empty or hex-formatted addresses in schema validation' to better represent the loosened validation pattern.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/operator-address-hex-validation

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@aly-obol aly-obol enabled auto-merge June 10, 2026 20:08

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/schema.ts (1)

214-221: ⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

Verify that empty principal split recipient addresses are handled safely downstream and document the business rule.

The pattern now permits empty strings for principalSplitRecipients[*].address, but the field remains required (line 221). This creates similar risks as the operator address change:

  1. Data integrity: Required field accepting empty strings may confuse consumers and differs from optional fields.

  2. Inconsistency: Other split recipient addresses in this file (e.g., rewardSplitRecipients[*].address line 164) require strict hex patterns.

  3. Downstream safety: From context, createValidatorManagerAndTotalSplit validates with ovmTotalSplitPayloadSchema before computing split recipients. Empty addresses may cause contract deployment failures or incorrect splits configuration if not explicitly handled.

  4. Custom validators: Lines 225-226 apply validateOVMRewardsSplitRecipients and validateOVMTotalSplitRecipients. Confirm these validators handle empty addresses correctly.

Add an inline comment explaining when empty principal split recipient addresses are permitted, and ensure downstream split-creation logic validates or handles empty addresses appropriately.

Run the following script to verify validator implementations and downstream usage:

#!/bin/bash
# Description: Check custom validators and principal split recipient address usage

# Check OVM validators for empty-string handling
echo "=== validateOVMTotalSplitRecipients implementation ==="
ast-grep --pattern 'function validateOVMTotalSplitRecipients($$$) { $$$ }'

# Check principal split recipient usage in contract/API code
echo "=== Principal split recipient usage ==="
rg -nC5 --type=ts 'principalSplitRecipients' --glob '!src/schema.ts'
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/schema.ts` around lines 214 - 221, The principal split recipients'
address currently allows empty strings while being required; update the schema
or downstream validators to avoid ambiguous empty required fields: either
tighten the schema pattern for principalSplitRecipients[*].address to match
non-empty 0x-hex like rewardSplitRecipients, or explicitly document via an
inline comment next to the address property when empty string is permitted and
why; then ensure the custom validators validateOVMTotalSplitRecipients and
validateOVMRewardsSplitRecipients (and the ovmTotalSplitPayloadSchema/check in
createValidatorManagerAndTotalSplit) explicitly handle or reject empty addresses
and add a short inline comment referencing this business rule so callers know
whether empty principal addresses are allowed and how they are handled.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/schema.ts`:
- Around line 214-221: The principal split recipients' address currently allows
empty strings while being required; update the schema or downstream validators
to avoid ambiguous empty required fields: either tighten the schema pattern for
principalSplitRecipients[*].address to match non-empty 0x-hex like
rewardSplitRecipients, or explicitly document via an inline comment next to the
address property when empty string is permitted and why; then ensure the custom
validators validateOVMTotalSplitRecipients and validateOVMRewardsSplitRecipients
(and the ovmTotalSplitPayloadSchema/check in
createValidatorManagerAndTotalSplit) explicitly handle or reject empty addresses
and add a short inline comment referencing this business rule so callers know
whether empty principal addresses are allowed and how they are handled.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 6f32fb50-8fb9-4f7f-969c-768b65b7dbd2

📥 Commits

Reviewing files that changed from the base of the PR and between b802a5a and 491aff0.

📒 Files selected for processing (1)
  • src/schema.ts

Comment thread src/schema.ts
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant