Validate HTTPS scheme in LSPS5 URL Readable deserialization

[vincenzopalazzo]

Summary

• LSPSUrl::Readable and LSPS5WebhookUrl::Readable bypassed URL validation, allowing non-HTTPS URLs (http://, ftp://, etc.) through wire protocol deserialization
• Root cause: both Readable impls directly wrapped raw deserialized bytes without calling the validating parse()/new() constructors
• Fix routes LSPSUrl::Readable through LSPSUrl::parse() and adds a MAX_WEBHOOK_URL_LENGTH check to LSPS5WebhookUrl::Readable

Fixes #4559

Reported-by: Thomas Kilbride of Block Security

Test plan

• 5 regression tests added covering Readable rejection of http:// URLs, too-long URLs, and acceptance of valid HTTPS URLs
• Full lightning-liquidity test suite passes

Co-Authored-By: Claude Opus 4.6 (1M context) noreply@anthropic.com

[ldk-reviews-bot]

I've assigned @jkczyz as a reviewer!
I'll wait for their review and will help manage the review process.
Once they submit their review, I'll check if a second reviewer would be helpful.

[ldk-claude-review-bot]

Review Summary

One issue found:

• lightning-liquidity/src/lsps5/msgs.rs:461 — LSPS5AppName::Readable (line 302–305) has the same bypass-the-validating-constructor bug that this PR fixes for LSPSUrl and LSPS5WebhookUrl. It skips the MAX_APP_NAME_LENGTH check. Since this PR is specifically fixing this class of bug, it should be fixed here too.

The core fix itself is correct: LSPSUrl::Readable now routes through parse(), and LSPS5WebhookUrl::Readable enforces the length limit. The url_length() change from chars().count() to .len() is a correct simplification given ASCII-only URLs.

[ldk-claude-review-bot]

Not introduced by this PR, but LSPS5AppName::Readable (line 302–305) has the exact same bypass pattern that this PR fixes for LSPSUrl and LSPS5WebhookUrl — it directly wraps the deserialized UntrustedString without calling LSPS5AppName::new(), skipping the MAX_APP_NAME_LENGTH check.

Since this PR is specifically fixing this class of bug, it would be worth fixing LSPS5AppName::Readable in the same commit to avoid leaving the identical issue in the sibling type.

Suggested change

	if url.url().len() > MAX_WEBHOOK_URL_LENGTH {
	let url: LSPSUrl = Readable::read(reader)?;
	if url.url().len() > MAX_WEBHOOK_URL_LENGTH {
	return Err(DecodeError::InvalidValue);
	}

(The code here is fine — just flagging the LSPS5AppName gap since it's the same pattern.)

[vincenzopalazzo]

Probably unrelated from the PR itself

[codecov]

Codecov Report

❌ Patch coverage is 95.00000% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.99%. Comparing base (4c398bb) to head (78df66d).
⚠️ Report is 7 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning-liquidity/src/lsps5/url_utils.rs	33.33%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #4560   +/-   ##
=======================================
  Coverage   86.99%   86.99%           
=======================================
  Files         163      163           
  Lines      108706   108744   +38     
  Branches   108706   108744   +38     
=======================================
+ Hits        94571    94605   +34     
- Misses      11655    11658    +3     
- Partials     2480     2481    +1     

Flag	Coverage Δ
fuzzing	40.28% <0.00%> (+0.01%)	⬆️
tests	86.09% <95.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[TheBlueMatt]

thanks