chore(release): merge release/4.4.0 to main#1949
Merged
Merged
Conversation
* update soroban-sdk to version 26.0.0
### Description update soroban-sdk to version 26.0.0 ### Testing `cd soroban && cargo test` ### Documentation N/A ### Known limitations N/A
### Description Adds Gateway API (`Gateway` + `HTTPRoute`) support to all three Anchor Platform helm charts. ### Context Gateway Migration ### Testing - `./gradlew test` - `helm lint` passes for all three charts. - `helm template` with default. Ingress still emitted, no Gateway/HTTPRoute. - `helm template` with Gateway API enabled. renders match the shape in `stellar/kube`. - Server-side dry-run not available locally ### Documentation N/A ### Known limitations N/A
#1940) ### Description - adds an `httpRoute.responseHeaders` values block that emits a Gateway API filter to set security response headers - Explicit `namespace` + `sectionName` on `parentRefs` when using the chart-managed Gateway ### Context The first migration PR dropped the existing `ingress.responseHeaders` block. Adding `namespace` + `sectionName` on `parentRefs` is purely a consistency fix to match the established Gateway API pattern. ### Testing - `helm lint` passes for all three charts. - `helm template` with Gateway API enabled. ### Documentation N/A ### Known limitations N/A
…d allows cross-customer KYC disclosure and payout destination overwrite (#1946) ### Description Before this change, \`Sep12Service.validateGetOrPutRequest\` enforced authorization on \`request.account\` and \`request.memo\` only. When a caller supplied \`request.id\` without \`account\`, the account check short-circuited entirely, allowing any valid SEP-10 session to \`GET\` or \`PUT\` any customer record by its \`id\` — regardless of who created it. The \`id\` was forwarded unmodified to the business-server callback, so any conforming business server would act on it. The fix introduces a \`sep12_customer_ownership\` table. Every successful \`PUT /sep12/customer\` writes the caller's identity (\`stellar_account\`, \`memo\`) as the owner of the returned \`customer_id\`. Subsequent \`GET\` or \`PUT\` requests that supply \`id\` are checked against this table: if the stored owner does not match the token, the request is rejected with 403 before the business server is called. No business server contract changes are required. **Changes** - [x] \`Sep12CustomerOwnership\` / \`Sep12CustomerOwnershipStore\`: new core interfaces defining the ownership record model and its storage contract. - [x] \`JdbcSep12CustomerOwnership\` / \`JdbcSep12CustomerOwnershipRepo\` / \`JdbcSep12CustomerOwnershipStore\`: platform JDBC implementation backed by the new \`sep12_customer_ownership\` table. - [x] \`V29__add_sep12_customer_ownership.sql\`: Flyway migration creating the table (\`customer_id PK\`, \`stellar_account NOT NULL\`, \`memo\`). - [x] \`Sep12Service.putCustomer\`: after every successful callback response, saves \`(customer_id, token_account, token_memo)\` to the ownership store, overwriting any prior record on update. - [x] \`Sep12Service.validateGetOrPutRequest\`: when \`id\` is present and \`transactionId\` is absent, looks up the ownership record. If a record exists and the token's identity does not match, returns 403 before reaching the business server. If no record exists (customer predates the fix or SEP-31 first-time access), the request is allowed through with the caller's account injected, preserving backward compatibility. - [x] \`SepBeans\` / \`DataBeans\`: wire \`Sep12CustomerOwnershipStore\` into the Spring context. - [x] \`Sep12ServiceTest\`: mocked \`Sep12CustomerOwnershipStore\`; updated existing id-path tests; added IDOR unit tests covering mismatched account rejection, mismatched memo rejection, no-record allow-through, ownership save on PUT (plain and muxed), transactionId path bypass, and forward-account-to-callback behaviour. - [x] \`Sep12Tests\`: added \`test cross-account id access is rejected\` integration test — registers a victim customer (ownership row written), attempts raw HTTP \`GET\` and \`PUT\` against that \`id\` from a different SEP-10 session, asserts 403 on both, and verifies the victim's record is unchanged. **Acceptance Criteria** - [x] \`GET /sep12/customer?id=<id>\` with a SEP-10 token that does not own that customer returns 403. - [x] \`PUT /sep12/customer\` with \`{"id":"<id>", ...}\` from a different SEP-10 session returns 403. - [x] The same \`GET\` and \`PUT\` succeed when issued by the token that owns the customer record. - [x] No ownership record (first access or pre-existing customer) allows the request through with the caller's account injected. - [x] The \`transactionId\` path is unaffected. - [x] All existing \`Sep12ServiceTest\` tests pass. ### Context [HackerOne #3735379](https://hackerone.com/reports/3735379) ### Testing - Unit: \`./gradlew :core:test --tests "org.stellar.anchor.sep12.Sep12ServiceTest"\` - Integration: \`./gradlew runEssentialTests\` — covers \`test cross-account id access is rejected\` in \`Sep12Tests\` ### Documentation N/A ### Known limitations Customers created before this migration has run have no ownership record. On their next \`PUT /customer\`, the record is written and all subsequent id-based requests are fully enforced. Until then, id-based access for those customers falls back to the caller's account being injected, relying on the business server's own id+account consistency check.
* update project version in `build.gradle.kts` * update docker badge in `readme.md` * update `version-info.properties`
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
### Description This bumps the version to 4.4.0 ### Context Release ### Testing - `./gradlew test` ### Documentation N/A ### Known limitations N/A
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Merges
release/4.4.0intomainfor the 4.4.0 release.Context
id— prevents cross-customer KYC disclosure and payout destination overwrite ([ANCHOR-1215]: Anchor Platform SEP-12 IDOR via unvalidated customer id allows cross-customer KYC disclosure and payout destination overwrite #1946)