Conversation
### Description Merge `main` to `develop` ### Context Git flow ### Testing - `./gradlew test` ### Documentation N/A ### Known limitations N/A
### Description Add private network validation to `ClientDomainHelper.fetchSigningKeyFromClientDomain()` to block SSRF via user-controlled `client_domain` parameter ### Context - TODO: describe why this change was made ### Testing - `./gradlew test` - New unit tests for all blocked address ranges (loopback, localhost, link-local, 10.x, 172.16.x, 192.168.x) ### Documentation N/A ### Known limitations N/A
#1916) ### Description Verify the transaction's creator matches the caller's JWT token before resolving customer data ### Context An authenticated user could access or modify any customer's KYC data by providing another user's `transaction_id` in SEP-12 GET/PUT `/sep12/customer` requests. ### Testing - `./gradlew test` - Added test for mismatched/null/matching creator ### Documentation N/A ### Known limitations N/A
…int (#1917) ### Description - Add 50KB size limit on `transaction` field in SEP-10 POST `/auth` before XDR parsing - Reduce existing SEP-45 `authorization_entries` size limit from 100KB to 50KB ### Context Valid SEP-10/SEP-45 auth payloads are small (a few KB). Limiting input size before XDR deserialization prevents unnecessary memory allocation from oversized payloads. ### Testing - `./gradlew test` ### Documentation N/A ### Known limitations N/A
### Description This bumps the version to 4.2.1 ### Context Patch release ### Testing - `./gradlew test` ### Documentation N/A ### Known limitations N/A
… range (#1918) ### Description - Fix MEMO_ID validation to support the full Stellar uint64 range (0 to 18,446,744,073,709,551,615) - Replace Long.parseLong and Long.longValue() with BigInteger for MEMO_ID parsing and conversion - Consolidate memo ID creation into a shared MemoHelper.makeMemoId() method ### Context Partner reported that SEP-24 requests with refund_memo 11872666534918305457 were rejected with "Invalid Memo" due to this refund_memo value above Java's `Long.MAX_VALUE `(9,223,372,036,854,775,807) Stellar protocol defines `MEMO_ID` as uint64, but the platform was using Java's signed long for parsing, which only supports half the range. The same issue existed in SEP-10 memo validation, `xdrMemoToString` (used by the payment observer for memo matching), and muxed account memo handling in `DefaultPaymentListener` ### Testing - ./gradlew test - Added new unit tests to cover all cases ### Documentation N/A ### Known limitations N/A
marwen-abid
approved these changes
Apr 8, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Merge
release/4.2.1tomainContext
Git flow
Testing
./gradlew testDocumentation
N/A
Known limitations
N/A