HubDApp · ReinaMaze · Apr 25, 2026 · Apr 26, 2026
diff --git a/INPUT_VALIDATION_IMPLEMENTATION.md b/INPUT_VALIDATION_IMPLEMENTATION.md
diff --git a/dongle-smartcontract/VALIDATION_IMPLEMENTATION.md b/dongle-smartcontract/VALIDATION_IMPLEMENTATION.md
diff --git a/dongle-smartcontract/src/constants.rs b/dongle-smartcontract/src/constants.rs
@@ -28,8 +28,16 @@ pub const MAX_WEBSITE_LEN: usize = 256;
 #[allow(dead_code)]
 pub const MAX_CID_LEN: usize = 128;
 
+/// Minimum length for CID validation.
+#[allow(dead_code)]
+pub const MIN_CID_LEN: usize = 10;
+
 /// Valid rating range (inclusive). Reviews must be in [RATING_MIN, RATING_MAX]. u32 for Soroban Val.
 #[allow(dead_code)]
 pub const RATING_MIN: u32 = 1;
 #[allow(dead_code)]
 pub const RATING_MAX: u32 = 5;
+
+/// Maximum number of items that can be returned in a single pagination request.
+#[allow(dead_code)]
+pub const MAX_PAGINATION_LIMIT: u32 = 100;
diff --git a/dongle-smartcontract/src/lib.rs b/dongle-smartcontract/src/lib.rs
@@ -11,6 +11,7 @@ pub mod rating_calculator;
 pub mod review_registry;
 pub mod storage_keys;
 pub mod types;
+pub mod validation;
 mod verification_registry;
 
 #[cfg(test)]

diff --git a/dongle-smartcontract/src/project_registry.rs b/dongle-smartcontract/src/project_registry.rs
@@ -3,6 +3,7 @@ use crate::errors::ContractError;
 use crate::events::{publish_project_registered_event, publish_project_updated_event};
 use crate::storage_keys::StorageKey;
 use crate::types::{Project, ProjectRegistrationParams, ProjectUpdateParams, VerificationStatus};
+use crate::validation;
 use soroban_sdk::{Address, Env, Vec};
 
 /// Maximum number of items returned per paginated list call.
@@ -18,15 +19,13 @@ impl ProjectRegistry {
     ) -> Result<u64, ContractError> {
         require_self_auth(&params.owner);
 
-        if params.name.is_empty() {
-            panic!("InvalidProjectName");
-        }
-        if params.description.is_empty() {
-            panic!("InvalidProjectDescription");
-        }
-        if params.category.is_empty() {
-            panic!("InvalidProjectCategory");
-        }
+        // Validate all inputs
+        validation::validate_project_name(&params.name)?;
+        validation::validate_description(&params.description)?;
+        validation::validate_category(&params.category)?;
+        validation::validate_website(&params.website)?;
+        validation::validate_cid(&params.logo_cid)?;
+        validation::validate_cid(&params.metadata_cid)?;
 
         // Check if project name already exists
         if env
@@ -100,23 +99,30 @@ impl ProjectRegistry {
 
         require_owner_auth(&params.caller, &project.owner)?;
 
-        if let Some(value) = params.name {
-            project.name = value;
+        // Validate updated fields
+        if let Some(ref value) = params.name {
+            validation::validate_project_name(value).ok()?;
+            project.name = value.clone();
         }
-        if let Some(value) = params.description {
-            project.description = value;
+        if let Some(ref value) = params.description {
+            validation::validate_description(value).ok()?;
+            project.description = value.clone();
         }
-        if let Some(value) = params.category {
-            project.category = value;
+        if let Some(ref value) = params.category {
+            validation::validate_category(value).ok()?;
+            project.category = value.clone();
         }
-        if let Some(value) = params.website {
-            project.website = value;
+        if let Some(ref value) = params.website {
+            validation::validate_website(value).ok()?;
+            project.website = value.clone();
         }
-        if let Some(value) = params.logo_cid {
-            project.logo_cid = value;
+        if let Some(ref value) = params.logo_cid {
+            validation::validate_cid(value).ok()?;
+            project.logo_cid = value.clone();
         }
-        if let Some(value) = params.metadata_cid {
-            project.metadata_cid = value;
+        if let Some(ref value) = params.metadata_cid {
+            validation::validate_cid(value).ok()?;
+            project.metadata_cid = value.clone();
         }
 
         project.updated_at = env.ledger().timestamp();

diff --git a/dongle-smartcontract/src/review_registry.rs b/dongle-smartcontract/src/review_registry.rs
@@ -7,6 +7,7 @@ use crate::events::publish_review_event;
 use crate::rating_calculator::RatingCalculator;
 use crate::storage_keys::StorageKey;
 use crate::types::{ProjectStats, Review, ReviewAction};
+use crate::validation;
 use soroban_sdk::{Address, Env, String, Vec};
 
 pub struct ReviewRegistry;
@@ -21,9 +22,9 @@ impl ReviewRegistry {
     ) -> Result<(), ContractError> {
         require_self_auth(&reviewer);
 
-        if !(RATING_MIN..=RATING_MAX).contains(&rating) {
-            return Err(ContractError::InvalidRating);
-        }
+        // Validate inputs
+        validation::validate_rating(rating)?;
+        validation::validate_cid(&comment_cid)?;
 
         let review_key = StorageKey::Review(project_id, reviewer.clone());
         if env.storage().persistent().has(&review_key) {
@@ -108,9 +109,9 @@ impl ReviewRegistry {
     ) -> Result<(), ContractError> {
         require_self_auth(&reviewer);
 
-        if !(RATING_MIN..=RATING_MAX).contains(&rating) {
-            return Err(ContractError::InvalidRating);
-        }
+        // Validate inputs
+        validation::validate_rating(rating)?;
+        validation::validate_cid(&comment_cid)?;
 
         let review_key = StorageKey::Review(project_id, reviewer.clone());
         let mut review: Review = env