Summary
The jam-backend currently accepts malformed advance payloads that are missing required fields instead of rejecting them.
This was confirmed during a live test run against the local Cartesi devnet backend.
Affected cases
jam.create accepts a payload with missing genesisEntryjam.append accepts a payload with missing entryjam.create accepts an invalid mintPrice like \"abc\"
Observed behavior
1. jam.create with missing genesisEntry
Payload:
{"action":"jam.create","name":"badJam","description":"missing genesis","mintPrice":"1","maxEntries":2}Observed result:
- Advance was accepted
- A new jam was created
- The backend did not reject the missing required field
2. jam.append with missing entry
Payload:
{"action":"jam.append","jamID":1}Observed result:
- Advance was accepted
- A new entry was appended without a
text value
- Inspecting the jam returned a malformed entry object missing the actual text content
3. jam.create with invalid mintPrice
Payload:
{"action":"jam.create","name":"badPrice","description":"invalid price","mintPrice":"abc","maxEntries":2,"genesisEntry":"seed"}Observed result:
- Advance was accepted
- A jam was created with
mintPrice: \"abc\"
- The invalid value is only likely to surface later during minting
Why this is a problem
- Invalid app state can be created and persisted
- Errors are deferred until later flows instead of being rejected at input time
- Frontend or integrator mistakes are harder to detect
- Malformed jam entries can leak into inspect responses
Likely source
The backend action handlers in apps/jam-backend/src/index.js pass request fields directly into new Jam(...) and Jam.appendToJamByID(...) without validating required properties first.
Suggested fix
Add explicit input validation before handling each advance action.
Examples:
jam.create: require non-empty name, description, genesisEntry, valid numeric/string mintPrice, and positive integer maxEntriesjam.append: require valid jamID and non-empty entry- reject malformed payloads with a clear report instead of mutating state
Test evidence
This was observed during the test run documented in apps/jam-backend/TEST_REPORT.md.
Summary
The
jam-backendcurrently accepts malformed advance payloads that are missing required fields instead of rejecting them.This was confirmed during a live test run against the local Cartesi devnet backend.
Affected cases
jam.createaccepts a payload with missinggenesisEntryjam.appendaccepts a payload with missingentryjam.createaccepts an invalidmintPricelike\"abc\"Observed behavior
1.
jam.createwith missinggenesisEntryPayload:
{"action":"jam.create","name":"badJam","description":"missing genesis","mintPrice":"1","maxEntries":2}Observed result:
2.
jam.appendwith missingentryPayload:
{"action":"jam.append","jamID":1}Observed result:
textvalue3.
jam.createwith invalidmintPricePayload:
{"action":"jam.create","name":"badPrice","description":"invalid price","mintPrice":"abc","maxEntries":2,"genesisEntry":"seed"}Observed result:
mintPrice: \"abc\"Why this is a problem
Likely source
The backend action handlers in
apps/jam-backend/src/index.jspass request fields directly intonew Jam(...)andJam.appendToJamByID(...)without validating required properties first.Suggested fix
Add explicit input validation before handling each advance action.
Examples:
jam.create: require non-emptyname,description,genesisEntry, valid numeric/stringmintPrice, and positive integermaxEntriesjam.append: require validjamIDand non-emptyentryTest evidence
This was observed during the test run documented in
apps/jam-backend/TEST_REPORT.md.