From: Chris Duncan <chris@zoso.dev>
Date: Sat, 2 Aug 2025 20:15:10 +0000 (-0700)
Subject: Be more specific when validating mnemonic string input.
X-Git-Tag: v0.10.5~47^2~2
X-Git-Url: https://git.codecow.com/?a=commitdiff_plain;h=c2ff4d7a822bf39b41de957cedf4f7c6019d9ba2;p=libnemo.git

Be more specific when validating mnemonic string input.
---

diff --git a/src/lib/wallet.ts b/src/lib/wallet.ts
index ec75759..e50dacc 100644
--- a/src/lib/wallet.ts
+++ b/src/lib/wallet.ts
@@ -111,7 +111,7 @@ export class Wallet {
 			}
 			if (/^(?:[A-F0-9]{64}){1,2}$/i.test(secret)) {
 				data.seed = hex.toBuffer(secret)
-			} else if (/^([a-z]{3,8} ?){12,24}$/i.test(secret)) {
+			} else if (/^([a-z]{3,8} ){11,23}[a-z]{3,8}$/i.test(secret)) {
 				data.mnemonicPhrase = secret.toLowerCase()
 				if (mnemonicSalt != null) data.mnemonicSalt = mnemonicSalt
 			} else {
@@ -461,7 +461,7 @@ export class Wallet {
 			}
 			if (/^(?:[A-F0-9]{64}){1,2}$/i.test(secret)) {
 				data.seed = hex.toBuffer(secret)
-			} else if (/^([a-z]{3,8} ?){12,24}$/i.test(secret)) {
+			} else if (/^([a-z]{3,8} ){11,23}[a-z]{3,8}$/i.test(secret)) {
 				data.mnemonicPhrase = secret.toLowerCase()
 			} else {
 				throw new TypeError('Invalid format')
diff --git a/test/test.create-wallet.mjs b/test/test.create-wallet.mjs
index af4bfcf..cb3c6fe 100644
--- a/test/test.create-wallet.mjs
+++ b/test/test.create-wallet.mjs
@@ -33,7 +33,7 @@ await Promise.all([
 			assert.ok('id' in wallet)
 			assert.ok(/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i.test(wallet.id))
 			assert.ok('mnemonic' in wallet)
-			assert.ok(/^(?:[a-z]{3,} ){11,23}[a-z]{3,}$/.test(wallet.mnemonic ?? ''))
+			assert.ok(/^(?:[a-z]{3,8} ){11,23}[a-z]{3,8}$/.test(wallet.mnemonic ?? ''))
 			assert.ok('seed' in wallet)
 			assert.ok(/^[A-Fa-f0-9]{128}$/.test(wallet.seed ?? ''))
 
@@ -54,7 +54,7 @@ await Promise.all([
 			assert.ok('id' in wallet)
 			assert.ok(/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i.test(wallet.id))
 			assert.ok('mnemonic' in wallet)
-			assert.ok(/^(?:[a-z]{3,} ){11,23}[a-z]{3,}$/.test(wallet.mnemonic ?? ''))
+			assert.ok(/^(?:[a-z]{3,8} ){11,23}[a-z]{3,8}$/.test(wallet.mnemonic ?? ''))
 			assert.ok('seed' in wallet)
 			assert.ok(/^[A-Fa-f0-9]{64}$/.test(wallet.seed ?? ''))