From cf7cef4293cf1b1a9b393f1030f8c8e648c2975b Mon Sep 17 00:00:00 2001
From: Jeffrey Wilcke <geffobscura@gmail.com>
Date: Fri, 7 Aug 2015 09:52:12 +0200
Subject: xeth: added address hex check and length check

---
 xeth/xeth.go      | 11 +++++++++++
 xeth/xeth_test.go | 26 ++++++++++++++++++++++++++
 2 files changed, 37 insertions(+)
 create mode 100644 xeth/xeth_test.go

diff --git a/xeth/xeth.go b/xeth/xeth.go
index 5d54c1f7e..372068c14 100644
--- a/xeth/xeth.go
+++ b/xeth/xeth.go
@@ -20,8 +20,10 @@ package xeth
 import (
 	"bytes"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"math/big"
+	"regexp"
 	"sync"
 	"time"
 
@@ -45,6 +47,7 @@ var (
 	defaultGasPrice  = big.NewInt(10000000000000) //150000000000
 	defaultGas       = big.NewInt(90000)          //500000
 	dappStorePre     = []byte("dapp-")
+	addrReg          = regexp.MustCompile(`^(0x)?[a-fA-F0-9]{40}$`)
 )
 
 // byte will be inferred
@@ -878,6 +881,10 @@ func (self *XEth) Sign(fromStr, hashStr string, didUnlock bool) (string, error)
 	return common.ToHex(sig), nil
 }
 
+func isAddress(addr string) bool {
+	return addrReg.MatchString(addr)
+}
+
 func (self *XEth) Transact(fromStr, toStr, nonceStr, valueStr, gasStr, gasPriceStr, codeStr string) (string, error) {
 
 	// this minimalistic recoding is enough (works for natspec.js)
@@ -887,6 +894,10 @@ func (self *XEth) Transact(fromStr, toStr, nonceStr, valueStr, gasStr, gasPriceS
 		return "", err
 	}
 
+	if !isAddress(toStr) {
+		return "", errors.New("Invalid address")
+	}
+
 	var (
 		from             = common.HexToAddress(fromStr)
 		to               = common.HexToAddress(toStr)
diff --git a/xeth/xeth_test.go b/xeth/xeth_test.go
new file mode 100644
index 000000000..e649d20ef
--- /dev/null
+++ b/xeth/xeth_test.go
@@ -0,0 +1,26 @@
+package xeth
+
+import "testing"
+
+func TestIsAddress(t *testing.T) {
+	for _, invalid := range []string{
+		"0x00",
+		"0xNN",
+		"0x00000000000000000000000000000000000000NN",
+		"0xAAar000000000000000000000000000000000000",
+	} {
+		if isAddress(invalid) {
+			t.Error("Expected", invalid, "to be invalid")
+		}
+	}
+
+	for _, valid := range []string{
+		"0x0000000000000000000000000000000000000000",
+		"0xAABBbbCCccff9900000000000000000000000000",
+		"AABBbbCCccff9900000000000000000000000000",
+	} {
+		if !isAddress(valid) {
+			t.Error("Expected", valid, "to be valid")
+		}
+	}
+}
-- 
cgit v1.2.3