From c2ff4d7a822bf39b41de957cedf4f7c6019d9ba2 Mon Sep 17 00:00:00 2001
From: Chris Duncan <chris@zoso.dev>
Date: Sat, 2 Aug 2025 13:15:10 -0700
Subject: [PATCH] Be more specific when validating mnemonic string input.

---
 src/lib/wallet.ts           | 4 ++--
 test/test.create-wallet.mjs | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/lib/wallet.ts b/src/lib/wallet.ts
index ec75759..e50dacc 100644
--- a/src/lib/wallet.ts
+++ b/src/lib/wallet.ts
@@ -111,7 +111,7 @@ export class Wallet {
 			}
 			if (/^(?:[A-F0-9]{64}){1,2}$/i.test(secret)) {
 				data.seed = hex.toBuffer(secret)
-			} else if (/^([a-z]{3,8} ?){12,24}$/i.test(secret)) {
+			} else if (/^([a-z]{3,8} ){11,23}[a-z]{3,8}$/i.test(secret)) {
 				data.mnemonicPhrase = secret.toLowerCase()
 				if (mnemonicSalt != null) data.mnemonicSalt = mnemonicSalt
 			} else {
@@ -461,7 +461,7 @@ export class Wallet {
 			}
 			if (/^(?:[A-F0-9]{64}){1,2}$/i.test(secret)) {
 				data.seed = hex.toBuffer(secret)
-			} else if (/^([a-z]{3,8} ?){12,24}$/i.test(secret)) {
+			} else if (/^([a-z]{3,8} ){11,23}[a-z]{3,8}$/i.test(secret)) {
 				data.mnemonicPhrase = secret.toLowerCase()
 			} else {
 				throw new TypeError('Invalid format')
diff --git a/test/test.create-wallet.mjs b/test/test.create-wallet.mjs
index af4bfcf..cb3c6fe 100644
--- a/test/test.create-wallet.mjs
+++ b/test/test.create-wallet.mjs
@@ -33,7 +33,7 @@ await Promise.all([
 			assert.ok('id' in wallet)
 			assert.ok(/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i.test(wallet.id))
 			assert.ok('mnemonic' in wallet)
-			assert.ok(/^(?:[a-z]{3,} ){11,23}[a-z]{3,}$/.test(wallet.mnemonic ?? ''))
+			assert.ok(/^(?:[a-z]{3,8} ){11,23}[a-z]{3,8}$/.test(wallet.mnemonic ?? ''))
 			assert.ok('seed' in wallet)
 			assert.ok(/^[A-Fa-f0-9]{128}$/.test(wallet.seed ?? ''))
 
@@ -54,7 +54,7 @@ await Promise.all([
 			assert.ok('id' in wallet)
 			assert.ok(/^[a-f0-9]{8}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{4}-[a-f0-9]{12}$/i.test(wallet.id))
 			assert.ok('mnemonic' in wallet)
-			assert.ok(/^(?:[a-z]{3,} ){11,23}[a-z]{3,}$/.test(wallet.mnemonic ?? ''))
+			assert.ok(/^(?:[a-z]{3,8} ){11,23}[a-z]{3,8}$/.test(wallet.mnemonic ?? ''))
 			assert.ok('seed' in wallet)
 			assert.ok(/^[A-Fa-f0-9]{64}$/.test(wallet.seed ?? ''))
 
-- 
2.47.3