security: enforce strict input validation and payload bounds#1706
security: enforce strict input validation and payload bounds#1706SurbhiAgarwal1 wants to merge 10 commits into
Conversation
Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
5cae97f to
8c74cea
Compare
…k during initialization Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
Signed-off-by: SurbhiAgarwal <agarwalsurbhi1807@gmail.com>
Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
Signed-off-by: SurbhiAgarwal1 <agarwalsurbhi1807@gmail.com>
|
Looks good to me. |
|
Tick the box to add this pull request to the merge queue (same as
|
|
|
||
| // Validate protocol version | ||
| if tr.Version == 0 { | ||
| return nil, nil, driver.ErrInvalidVersion |
There was a problem hiding this comment.
Version 0 is now accepted, but it used to be rejected. Why this is removed? This makes validation weaker, which is the opposite of what this PR is for, and it's not related to payload size limits.
| Storage: storage, | ||
| RequestsCache: requestsCache, | ||
| Config: ValidationConfig{ | ||
| MaxTokenPayloadSize: 2 * 1024 * 1024, |
There was a problem hiding this comment.
Defaults duplicated in 4 places
-
token/driver/validator.go:
const (
MaxTokenPayloadSize = 2 * 1024 * 1024
MaxTokenOutputsPerTx = 1000
...
) -
token/config.go — GetValidationConfig:
config := driver.ValidationConfig{
MaxTokenPayloadSize: 2 * 1024 * 1024,
MaxTokenOutputsPerTx: 1000,
...
} -
token/core/common/validator.go — NewValidator:
ValidationConfig: driver.ValidationConfig{
MaxTokenPayloadSize: 2 * 1024 * 1024,
MaxTokenOutputsPerTx: 1000,
...
}, -
token/services/tokens/tokens.go — NewService:
Config: ValidationConfig{
MaxTokenPayloadSize: 2 * 1024 * 1024,
MaxTokenOutputsPerTx: 1000,
...
},
One option to fix this is to define once in token/driver/validator.go, reuse everywhere:
// DefaultValidationConfig holds the default resource limits.
var DefaultValidationConfig = ValidationConfig{
MaxTokenPayloadSize: 2 * 1024 * 1024,
MaxTokenOutputsPerTx: 1000,
MaxBulkDeleteSize: 10000,
MaxWalletIDSize: 1024,
MaxOwnerRawSize: 256 * 1024,
MaxIssuerRawSize: 256 * 1024,
MaxTokenRequestSize: 2 * 1024 * 1024,
MaxActionCount: 1000,
}
| if err != nil { | ||
| return errors.Wrapf(err, "failed to serialize output at index %d", i) | ||
| } | ||
| if v.ValidationConfig.MaxTokenPayloadSize > 0 && len(raw) > v.ValidationConfig.MaxTokenPayloadSize { |
There was a problem hiding this comment.
A limit of 0 means two opposite things:
- common/validator.go: 0 = no limit (checks are guarded with if MaxX > 0)
- tokens.go validateAppendRequest: 0 = reject everything (no guard, so len(req.Tokens) > 0 always fails)
So an operator who sets maxTokenOutputsPerTx: 0 expecting "unlimited" would instead block every append.
I think we need to fix this and add the same > 0 guard in tokens.go so 0 means "unlimited" in both places.
|
Hello @SurbhiAgarwal1 I would like to thank you a lot for your work on that PR. I appreciate it a lot. Thanks a lot, |
Address PR feedback on validation configs Signed-off-by: Surbhi Agarwal <SurbhiAgarwal1@users.noreply.github.com>
5cf7641 to
0601d51
Compare
…-validation Signed-off-by: Surbhi Agarwal <SurbhiAgarwal1@users.noreply.github.com>
Signed-off-by: Surbhi Agarwal <SurbhiAgarwal1@users.noreply.github.com>
Description
This PR implements strict input validation and payload bounds within the
tokens.Service.Appendmethod to protect the system against resource exhaustion and potential Denial of Service (DoS) attacks from malformed or oversized finality data.Changes
MaxTokenPayloadSize: 1MB (coversTokenOnLedgerandTokenOnLedgerMetadata)MaxTokenOutputsPerTx: 1000 outputsMaxBulkDeleteSize: 10,000 IDsMaxWalletIDSize: 1024 bytesMaxOwnerRawSize: 2048 bytesMaxIssuerRawSize: 2048 bytesvalidateAppendRequestwhich performs in-memory checks before any database transactions or storage operations are initiated.token/services/tokens/validation_test.gocovering edge cases, limit violations, and structural validation.Verification Results
token/services/tokenspassed successfully.golangci-lint(v2) standards, includingnlreturnandtestifylintcompliance.Fixes: #1608