fix(webauthn): Enhance JSON key search to prevent pattern injection, and fix Barz.getDiamondCutCode

[sergei-boiko-trustwallet]

This pull request introduces important bug fixes and security improvements to the barz and webauthn modules, with a focus on correct data padding and robust JSON key detection. It also adds new tests to ensure these behaviors are properly validated.

Bug fixes and correctness improvements:

• Fixed the calculation of padding length in get_diamond_cut_code to prevent potential overflow or incorrect padding when init_data is not aligned to the encoding chunk size.

Security and robustness improvements:

• Improved the find_json_key_index function in webauthn.rs to accurately locate a key in a JSON string by parsing the JSON and ensuring the key occurs exactly once, preventing false positives from injected or repeated keys.
• Added a test to verify that find_json_key_index correctly rejects injected or multiple key occurrences, increasing security against malicious input.

Testing and validation:

• Added a new test for get_diamond_cut_code to ensure correct behavior when init_data is not aligned to 32 bytes, confirming that no subtraction overflow occurs and the output is as expected.

Code quality:

• Added import of serde_json::Value as Json to support the improved JSON parsing logic.

[github-actions]

Binary size comparison

➡️ aarch64-apple-ios: 14.36 MB

➡️ aarch64-apple-ios-sim:

- 14.37 MB
+ 14.37 MB 	 +1 KB

➡️ aarch64-linux-android: 18.81 MB

➡️ armv7-linux-androideabi: 16.23 MB

➡️ wasm32-unknown-emscripten:

- 13.72 MB
+ 13.72 MB 	 +1 KB

[Copilot]

Pull request overview

This PR hardens WebAuthn clientDataJSON key-index discovery to avoid ambiguous/malicious matches and fixes DiamondCut calldata padding to prevent underflow on unaligned init data, adding regression tests for both areas.

Changes:

• Update find_json_key_index to validate keys via JSON parsing and reject ambiguous raw matches.
• Fix DiamondCut init-data padding calculation to correctly pad to 32-byte boundaries without underflow.
• Add unit tests covering the DiamondCut padding edge case and WebAuthn key-search ambiguity.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 3 comments.

File	Description
rust/tw_evm/tests/barz.rs	Adds a regression test for unaligned init_data to ensure padding logic doesn’t underflow.
rust/tw_evm/src/modules/webauthn.rs	Adds JSON parsing + stricter matching for key-index lookup; introduces unit tests for ambiguity/injection scenarios.
rust/tw_evm/src/modules/barz/core.rs	Corrects padding-length computation to standard modulo-based padding for 32-byte alignment.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.