currency address validation #4

New Issue

9cfa · 2023-03-11T04:13:28Z

9cfa commented

2023-03-11 04:13:28 +00:00

instead of address verification functions consider using regexe for initial address verification + json rpc validateaddress against daemon.

pros;

less code
new address type introduction is easier to handle (ie p2tr on btc)
daemon knows better ??

cons;

more resources used
requires network
dos against all daemon rpc workers

-- can these libraries be trusted to correctly verify addresses in all cases?

instead of address verification functions consider using regexe for initial address verification + json rpc validateaddress against daemon. pros; - less code - new address type introduction is easier to handle (ie p2tr on btc) - daemon knows better ?? cons; - more resources used - requires network - dos against all daemon rpc workers -- can these libraries be trusted to correctly verify addresses in all cases?

mike commented

2023-03-11 08:39:10 +00:00

I chose the current way its coded because of the cons.

no ddos on daemons by checking and generating addresses
the check is done mainly by the python and doesn't bother the whole system
less resources
protection of services (mysql,rpc)

I'd rather not check it with the daemon each time when we can base58 decode it. A regex is not 100% safe, some incorrect addresses can still bypass the regex.

Examples;


    1LWwzFiZi6VDZAE6vB8jTpWc6U5f5YdL6v
    3KZWZ1Tyq4fFfV7Q2FptCtpV1frq9rCwsV
    bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t3
    1FjKzw2EnoumgC84JiPyFtjLdtVgnsXtJh
    36yrwCvpZQaTgBh7VQxDG2fC7Vq3r9zC94
    bc1zrq7fypj57vx6szulv6k5z6yxl46hhwl5mn6l26
    
    btc_regex = re.compile(r'^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$')
    result = re.match(btc_regex,address)
    if result != None:
        print(result)
        print("pass")
        
    INFO:     127.0.0.1:53777 - "GET /api/receive?method=xmr&address=86dcTjS54UU4wdXGuf1GEPPk5mWGjSLtAJxyNk1xo2GUSZMxgE2GaxfUrK8zKR2Bu8XqvG7RqDMT4TXiWXNuFXKJB6WrRkU HTTP/1.1" 422 Unprocessable Entity
<re.Match object; span=(0, 34), match='1LWwzFiZi6VDZAE6vB8jTpWc6U5f5YdL6v'>
pass
INFO:     127.0.0.1:53866 - "GET /api/receive?method=btc&address=1LWwzFiZi6VDZAE6vB8jTpWc6U5f5YdL6v HTTP/1.1" 422 Unprocessable Entity
<re.Match object; span=(0, 34), match='3KZWZ1Tyq4fFfV7Q2FptCtpV1frq9rCwsV'>
pass
INFO:     127.0.0.1:53888 - "GET /api/receive?method=btc&address=3KZWZ1Tyq4fFfV7Q2FptCtpV1frq9rCwsV HTTP/1.1" 422 Unprocessable Entity
<re.Match object; span=(0, 42), match='bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t3'>
pass
INFO:     127.0.0.1:53896 - "GET /api/receive?method=btc&address=bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t3 HTTP/1.1" 422 Unprocessable Entity

I did a regex before but doing a base58 is better, is well, exactly what it needs. Addresses need to return a correct checksum to be validated. Same thing what a daemon does without the daemon.

As you can see in main.py, the network connection to the rpc and to the mysql is done after a lot of checks have been made, that to stop anyone from trying to send us bogus requests.

Also, its the customers responsibility to use a correct address.

If you want to take each byte of the code and read/rewrite it, we'll be done with this in 2030.

I chose the current way its coded because of the cons. - no ddos on daemons by checking and generating addresses - the check is done mainly by the python and doesn't bother the whole system - less resources - protection of services (mysql,rpc) I'd rather not check it with the daemon each time when we can base58 decode it. A regex is not 100% safe, some incorrect addresses can still bypass the regex. Examples; ``` 1LWwzFiZi6VDZAE6vB8jTpWc6U5f5YdL6v 3KZWZ1Tyq4fFfV7Q2FptCtpV1frq9rCwsV bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t3 1FjKzw2EnoumgC84JiPyFtjLdtVgnsXtJh 36yrwCvpZQaTgBh7VQxDG2fC7Vq3r9zC94 bc1zrq7fypj57vx6szulv6k5z6yxl46hhwl5mn6l26 btc_regex = re.compile(r'^(bc1|[13])[a-zA-HJ-NP-Z0-9]{25,39}$') result = re.match(btc_regex,address) if result != None: print(result) print("pass") INFO: 127.0.0.1:53777 - "GET /api/receive?method=xmr&address=86dcTjS54UU4wdXGuf1GEPPk5mWGjSLtAJxyNk1xo2GUSZMxgE2GaxfUrK8zKR2Bu8XqvG7RqDMT4TXiWXNuFXKJB6WrRkU HTTP/1.1" 422 Unprocessable Entity <re.Match object; span=(0, 34), match='1LWwzFiZi6VDZAE6vB8jTpWc6U5f5YdL6v'> pass INFO: 127.0.0.1:53866 - "GET /api/receive?method=btc&address=1LWwzFiZi6VDZAE6vB8jTpWc6U5f5YdL6v HTTP/1.1" 422 Unprocessable Entity <re.Match object; span=(0, 34), match='3KZWZ1Tyq4fFfV7Q2FptCtpV1frq9rCwsV'> pass INFO: 127.0.0.1:53888 - "GET /api/receive?method=btc&address=3KZWZ1Tyq4fFfV7Q2FptCtpV1frq9rCwsV HTTP/1.1" 422 Unprocessable Entity <re.Match object; span=(0, 42), match='bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t3'> pass INFO: 127.0.0.1:53896 - "GET /api/receive?method=btc&address=bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t3 HTTP/1.1" 422 Unprocessable Entity ``` I did a regex before but doing a base58 is better, is well, exactly what it needs. Addresses need to return a correct checksum to be validated. Same thing what a daemon does without the daemon. As you can see in main.py, the network connection to the rpc and to the mysql is done after a lot of checks have been made, that to stop anyone from trying to send us bogus requests. Also, its the customers responsibility to use a correct address. If you want to take each byte of the code and read/rewrite it, we'll be done with this in 2030.

Sign in to join this conversation.