fix: guard against primitive values in contract router tree traversal

jameskranz · claude · jameskranz · commit 9167d2b25f56 · 2026-04-03T11:32:00.000-07:00
Apply the same primitive type guards to enhanceContractRouter,
minifyContractRouter, and populateContractRouterPaths in the contract
package. These functions have the same infinite recursion vulnerability
when router modules export string values alongside contract procedures.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/packages/contract/src/router-utils.test.ts b/packages/contract/src/router-utils.test.ts
@@ -74,6 +74,80 @@ it('minifyContractRouter', () => {
   expect((minified as any).nested.pong).toEqual(minifiedPong)
 })
 
+describe('enhanceContractRouter with primitive values', () => {
+  const options = { errorMap: {}, prefix: '/test', tags: ['test'] } as const
+
+  it('handles string values without infinite recursion', () => {
+    const routerWithString = { ping, SOME_CONSTANT: 'hello' } as any
+    const enhanced = enhanceContractRouter(routerWithString, options)
+    expect(isContractProcedure(enhanced.ping)).toBe(true)
+  })
+
+  it('handles single-character string without infinite recursion', () => {
+    const routerWithChar = { ping, FLAG: 'x' } as any
+    const enhanced = enhanceContractRouter(routerWithChar, options)
+    expect(isContractProcedure(enhanced.ping)).toBe(true)
+  })
+
+  it('handles number values without infinite recursion', () => {
+    const routerWithNumber = { ping, VERSION: 42 } as any
+    const enhanced = enhanceContractRouter(routerWithNumber, options)
+    expect(isContractProcedure(enhanced.ping)).toBe(true)
+  })
+
+  it('handles boolean values without infinite recursion', () => {
+    const routerWithBool = { ping, ENABLED: true } as any
+    const enhanced = enhanceContractRouter(routerWithBool, options)
+    expect(isContractProcedure(enhanced.ping)).toBe(true)
+  })
+
+  it('handles null and undefined values without infinite recursion', () => {
+    const routerWithNullish = { ping, NIL: null, UNDEF: undefined } as any
+    const enhanced = enhanceContractRouter(routerWithNullish, options)
+    expect(isContractProcedure(enhanced.ping)).toBe(true)
+  })
+})
+
+describe('minifyContractRouter with primitive values', () => {
+  it('handles string values without infinite recursion', () => {
+    const routerWithString = { ping, LABEL: 'hello' } as any
+    const minified = minifyContractRouter(routerWithString)
+    expect(isContractProcedure((minified as any).ping)).toBe(true)
+  })
+
+  it('handles single-character string without infinite recursion', () => {
+    const routerWithChar = { ping, FLAG: 'x' } as any
+    const minified = minifyContractRouter(routerWithChar)
+    expect(isContractProcedure((minified as any).ping)).toBe(true)
+  })
+
+  it('handles number values without infinite recursion', () => {
+    const routerWithNumber = { ping, VERSION: 42 } as any
+    const minified = minifyContractRouter(routerWithNumber)
+    expect(isContractProcedure((minified as any).ping)).toBe(true)
+  })
+})
+
+describe('populateContractRouterPaths with primitive values', () => {
+  it('handles string values without infinite recursion', () => {
+    const routerWithString = { ping: oc.input(inputSchema), LABEL: 'hello' } as any
+    const populated = populateContractRouterPaths(routerWithString)
+    expect(isContractProcedure(populated.ping)).toBe(true)
+  })
+
+  it('handles single-character string without infinite recursion', () => {
+    const routerWithChar = { ping: oc.input(inputSchema), FLAG: 'x' } as any
+    const populated = populateContractRouterPaths(routerWithChar)
+    expect(isContractProcedure(populated.ping)).toBe(true)
+  })
+
+  it('handles number values without infinite recursion', () => {
+    const routerWithNumber = { ping: oc.input(inputSchema), VERSION: 42 } as any
+    const populated = populateContractRouterPaths(routerWithNumber)
+    expect(isContractProcedure(populated.ping)).toBe(true)
+  })
+})
+
 it('populateContractRouterPaths', () => {
   const contract = {
     ping: oc.input(inputSchema),
diff --git a/packages/contract/src/router-utils.ts b/packages/contract/src/router-utils.ts
@@ -53,6 +53,10 @@ export function enhanceContractRouter<T extends AnyContractRouter, TErrorMap ext
     return enhanced as any
   }
 
+  if (typeof router !== 'object' || router === null) {
+    return router as any
+  }
+
   const enhanced: Record<string, any> = {}
 
   for (const key in router) {
@@ -83,6 +87,10 @@ export function minifyContractRouter(router: AnyContractRouter): AnyContractRout
     return procedure
   }
 
+  if (typeof router !== 'object' || router === null) {
+    return router as any
+  }
+
   const json: Record<string, AnyContractRouter> = {}
 
   for (const key in router) {
@@ -128,6 +136,10 @@ export function populateContractRouterPaths<T extends AnyContractRouter>(router:
     return router as any
   }
 
+  if (typeof router !== 'object' || router === null) {
+    return router as any
+  }
+
   const populated: Record<string, any> = {}
 
   for (const key in router) {
