Security Fix: Enforce strict hex validation (TOB-21)

Author: Stephen-Thomson

src/primitives/hex.ts

@@ -3,23 +3,23 @@
 // Accepts empty string because empty byte arrays are valid in Bitcoin.
 const PURE_HEX_REGEX = /^[0-9a-fA-F]*$/
 
-export function assertValidHex(msg: string): void {
+export function assertValidHex (msg: string): void {
   if (typeof msg !== 'string') {
-    console.error("assertValidHex FAIL (non-string):", msg)
+    console.error('assertValidHex FAIL (non-string):', msg)
     throw new Error('Invalid hex string')
   }
 
   // allow empty
   if (msg.length === 0) return
 
   if (!PURE_HEX_REGEX.test(msg)) {
-    console.error("assertValidHex FAIL (bad hex):", msg)
+    console.error('assertValidHex FAIL (bad hex):', msg)
     throw new Error('Invalid hex string')
   }
 }
 
-export function normalizeHex(msg: string): string {
-  assertValidHex(msg);
+export function normalizeHex (msg: string): string {
+  assertValidHex(msg)
 
   // If empty, return empty — never force to "00"
   if (msg.length === 0) return ''

src/primitives/utils.ts

@@ -1,12 +1,11 @@
 import BigNumber from './BigNumber.js'
 import { hash256 } from './Hash.js'
-import { assertValidHex, normalizeHex } from './hex.js'
+import { assertValidHex } from './hex.js'
 
 const BufferCtor =
   typeof globalThis !== 'undefined' ? (globalThis as any).Buffer : undefined
 const CAN_USE_BUFFER =
   BufferCtor != null && typeof BufferCtor.from === 'function'
-const PURE_HEX_REGEX = /^[0-9a-fA-F]+$/
 
 /**
  * Prepends a '0' to an odd character length word to ensure it has an even number of characters.
@@ -232,7 +231,7 @@ export const toUTF8 = (arr: number[]): string => {
       result += String.fromCharCode(byte1)
       continue
     }
-    const emitReplacement = () => {
+    const emitReplacement = (): void => {
       result += replacementChar
     }
     if (byte1 >= 0xc0 && byte1 <= 0xdf) {