Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| function detectExtension(urlOrPath) { | ||
| const lower = urlOrPath.toLowerCase(); | ||
| if (lower.endsWith(".svg") || lower.includes("svg")) return "svg"; | ||
| if (lower.endsWith(".png") || lower.includes("png")) return "png"; |
There was a problem hiding this comment.
Extension detection matches "svg"/"png" anywhere in URL path
High Severity
detectExtension uses lower.includes("svg") and lower.includes("png") which match substrings anywhere in the URL or file path — domain names, directory names, query parameters. Because the SVG includes check runs first, any URL or path containing "svg" anywhere (e.g. https://svg-host.com/token.png or /svg-icons/token.png) will incorrectly return "svg", even when the actual file extension is .png. This causes icons to be saved with the wrong extension and metadata logo to reference the wrong filename.
| .get(url, (res) => { | ||
| if (res.statusCode >= 300 && res.statusCode < 400 && res.headers.location) { | ||
| // Follow redirect | ||
| return downloadFile(res.headers.location, dest).then(resolve, reject); |
There was a problem hiding this comment.
Unconsumed redirect response causes CLI process to hang
Medium Severity
When downloadFile encounters an HTTP redirect, it recursively follows the location header but never consumes the redirect response body (no res.resume() or res.destroy()). In Node.js, an unconsumed response keeps its underlying TCP socket alive in the event loop. Since main() doesn't call process.exit(0) on success, the CLI process will hang indefinitely after any icon download that involves a redirect — a very common scenario with CDN URLs.
Additional Locations (1)
1 participant
Help the poor disabled man out aka me
Note
Medium Risk
Introduces a new filesystem- and network-touching CLI (writes metadata/icons and can download remote files), which could affect repo contents if misused; changes are largely additive and covered by new tests.
Overview
Adds a new
cli-update-asset.jstool to create/update CAIP-19 asset metadata, download/copy icons, verify metadata/icon integrity (including permitted-field checks, symbol length, icon existence/format, and optional EIP-55 checksum validation), and list assets by chain.Updates
package.jsonto exposeasset:*scripts and run a newtest/cli-update-asset.jssuite (plustest:cli) covering CLI argument handling, update/verify/list behaviors, and CAIP-19 ID validation. Also introduces AI assistant guidance files (CLAUDE.md,.cursorrules, and Copilot instructions) documenting repo conventions and the new CLI workflow.Written by Cursor Bugbot for commit 9a52db5. This will update automatically on new commits. Configure here.