Bug: Missing Validation for nodeId in NodeUpdateTransaction #977
Description
Bug: Missing Validation for nodeId in NodeUpdateTransaction
Summary
When using NodeUpdateTransaction, if the nodeId is not explicitly set, it defaults to 0 in the Consensus Node handler, which can unintentionally apply the transaction to node 0.0.3 (account ID 3) in local setups or production environments. This can lead to erroneous or risky node updates.
Expected Behavior
The SDK should validate that nodeId is explicitly set before execution of the transaction. If it is not, the SDK should throw a meaningful error indicating that the nodeId field is required.
Actual Behavior
If setNodeId(nodeId) is not called, the transaction defaults to null when executed it will default tonodeId = 0 in the consensus node handler, which is misleading and dangerous.
This behavior stems from the underlying protobuf field being of type uint64, which defaults to 0.
NodeUpdateTransactionBody protobuf
Suggested Fix
Add SDK-level validation in NodeUpdateTransaction to ensure that the nodeId field is explicitly set before execute() is called.
if (!nodeIdWasExplicitlySet) {
throw new Error("NodeUpdateTransaction must have nodeId set before execution.");
}This is especially important because the protobuf type (uint64) cannot distinguish between 0 and unset values, and PBJ (used in CN) doesn't support optional long fields.
Version(s) Affected
- SDK: [
@hashgraph/sdkAll Versions]
References
- Slack thread: link
Example Snippet (Current Behavior)
const updateTransaction = new NodeUpdateTransaction()
.setGrpcWebProxyEndpoint(grpcProxyEndpoint);
// nodeId not set explicitly — defaults to 0
await updateTransaction.execute(client);This incorrectly applies the update to node 0.0.3.
Impact
This could result in misconfigured nodes, unintended production changes.