π Invalid Link Validation Bypassed in Proposal Creation via UI and APIΒ #3715
Description
Area
Proposal Pillar
Domain
Custom setup
Which wallet were you using?
No response
Context
When creating a proposal through the UI, entering an invalid link in the link field correctly displays an error message. However, adding a space or typing and then removing text in the link field causes the error message to disappear, enabling the "Continue" button and allowing progression despite the invalid link. Additionally, the API allows submission of proposals with invalid links (e.g., "invalid") without proper validation, which impacts data integrity in dbsync when the proposal is submitted as a governance action.
Steps to reproduce
- Connect a wallet.
- Navigate to the proposal creation page.
- Fill out all required fields with valid data.
- Enter an invalid link (e.g., "invalid") in the link field to trigger the error message.
- Add a space to the link text or enter any text and then delete it.
- Observe that the error message disappears, and the "Continue" button becomes active, allowing progression.
API Issue
- Use the following cURL command to submit a proposal with an invalid link:
curl 'https://z74f91f2d-zb0719f09-gtw.z937eb260.rustrocks.fr/api/proposals' \
-H 'accept: application/json, text/plain, */*' \
-H 'accept-language: en,en-GB;q=0.9,en-US;q=0.8' \
-H 'authorization: Bearer ********************************************' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H 'origin: https://p80-z78acf3c2-zded6a792-gtw.z937eb260.rustrocks.fr' \
-H 'pragma: no-cache' \
-H 'priority: u=1, i' \
-H 'referer: https://p80-z78acf3c2-zded6a792-gtw.z937eb260.rustrocks.fr/' \
-H 'sec-ch-ua: "Google Chrome";v="137", "Chromium";v="137", "Not/A)Brand";v="24"' \
-H 'sec-ch-ua-mobile: ?0' \
-H 'sec-ch-ua-platform: "Linux"' \
-H 'sec-fetch-dest: empty' \
-H 'sec-fetch-mode: cors' \
-H 'sec-fetch-site: same-site' \
-H 'user-agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36' \
--data-raw '{"data":{"proposal_links":[{"prop_link":"invalid","prop_link_text":" "}],"proposal_withdrawals":[{"prop_receiving_address":null,"prop_amount":null}],"proposal_constitution_content":{},"gov_action_type_id":1,"prop_name":"vv","prop_abstract":"vv","prop_motivation":"vv","prop_rationale":"vv","is_draft":false}}'
- Observe that the API accepts the invalid link ("invalid") and creates the proposal without validation errors.
- Note that this invalid data affects dbsync when the proposal is submitted as a governance action.
Actual behavior
- UI: Adding/removing a space or text in the link field with an invalid link removes the error message and enables the "Continue" button, allowing users to proceed with an invalid link.
- API: The API endpoint /api/proposals accepts proposals with invalid links (e.g., "invalid") without validation, leading to the creation of proposals with incorrect data, which impacts data integrity in dbsync during governance action submission.
The error message appears as expected
But when I add a space or remove the added link text, the error message vanishes, and the continue button is visible
Expected behavior
- UI: The error message for an invalid link should persist as long as the link remains invalid, regardless of adding/removing spaces or text. The "Continue" button should remain disabled until a valid link (e.g., a properly formatted URL) is provided.
- API: The API should validate the prop_link field and reject submissions with invalid links, returning an appropriate error response (e.g., 400 Bad Request). Invalid data should not be stored, ensuring data integrity in DBSync for governance actions.
Allure Report
Metadata
Metadata
Assignees
Labels
Type
Projects
Status