• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

decentraland / social-service-ea / 28548013452
90%
main: 90%

Build:
Build:
LAST BUILD BRANCH: fix/security-hardening
DEFAULT BRANCH: main
Ran 01 Jul 2026 09:15PM UTC
Jobs 1
Files 201
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

01 Jul 2026 09:01PM UTC coverage: 90.437% (+0.005%) from 90.432%
28548013452

push

github

web-flow
fix: enforce friendship state machine in upsertFriendship (#427)

* fix: enforce friendship state machine in upsertFriendship

upsertFriendship applied every friendship action without validating the
state-machine transition, so an authenticated user could send an ACCEPT
targeting an arbitrary address with no prior request and create an active
friendship (is_active = true) without the other user's consent. because the
private-voice authorization gate keys on friendship.is_active, the forged
friendship also defeated a victim's ONLY_FRIENDS privacy setting.

the validator that encodes the legal transitions (validateNewFriendshipAction)
already existed and was unit-tested, but its only call site was dropped during
the upsert-friendship refactor (#214), leaving it as dead code.

this wires the validator back into upsertFriendship, before any state is
written, so illegal transitions are rejected with an InvalidFriendshipActionError
and no friendship row is created or updated.

- call validateNewFriendshipAction in upsertFriendship before computing the new status
- move InvalidFriendshipActionError into the friends logic errors.ts, since a logic
  component must not import from controllers/; the controller still maps it to the
  existing invalidFriendshipAction response
- rewrite the component tests that asserted the vulnerable behavior into
  valid-transition tests, and add a regression block covering illegal transitions

* test: remove redundant action assignment in upsert-friendship no-prior-action block

2299 of 2688 branches covered (85.53%)

Branch coverage included in aggregate %.

7 of 7 new or added lines in 3 files covered. (100.0%)

5758 of 6221 relevant lines covered (92.56%)

80.56 hits per line

Jobs
ID Job ID Ran Files Coverage
1 28548013452.1 01 Jul 2026 09:15PM UTC 402
91.36
GitHub Action Run
Source Files on build 28548013452
  • Tree
  • List 201
  • Changed 159
  • Source Changed 4
  • Coverage Changed 159
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Repo
  • Github Actions Build #28548013452
  • d85302a6 on github
  • Prev Build on main (#28544267284)
  • Delete
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc