-
Notifications
You must be signed in to change notification settings - Fork 109
security: enforce strict input validation and payload bounds #1706
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Changes from all commits
8c74cea
1151643
5d52bfb
c0efac1
4d24272
d06de98
fa66730
0601d51
5c24d77
c79b051
1b5f289
5bccde5
8c4ab82
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -72,6 +72,9 @@ type Validator[P driver.PublicParameters, T driver.Input, TA driver.TransferActi | |
| // If set to a specific version (e.g., driver.ProtocolV1), only requests with that version | ||
| // or higher will be accepted, rejecting older protocol versions. | ||
| MinProtocolVersion uint32 | ||
|
|
||
| // ValidationConfig specifies the resource limits for token requests. | ||
| ValidationConfig driver.ValidationConfig | ||
| } | ||
|
|
||
| // NewValidator returns a new Validator instance for the passed arguments. | ||
|
|
@@ -92,6 +95,7 @@ func NewValidator[P driver.PublicParameters, T driver.Input, TA driver.TransferA | |
| TransferValidators: transferValidators, | ||
| IssueValidators: issueValidators, | ||
| AuditingValidators: auditingValidators, | ||
| ValidationConfig: driver.DefaultValidationConfig, | ||
| } | ||
| } | ||
|
|
||
|
|
@@ -102,18 +106,31 @@ func (v *Validator[P, T, TA, IA, DS]) SetMinProtocolVersion(version uint32) { | |
| v.MinProtocolVersion = version | ||
| } | ||
|
|
||
| // SetValidationConfig configures the validation limits for the validator. | ||
| func (v *Validator[P, T, TA, IA, DS]) SetValidationConfig(config driver.ValidationConfig) { | ||
| v.ValidationConfig = config | ||
| } | ||
|
|
||
| // VerifyTokenRequestFromRaw verifies a token request from its raw representation. | ||
| func (v *Validator[P, T, TA, IA, DS]) VerifyTokenRequestFromRaw(ctx context.Context, getState driver.GetStateFnc, anchor driver.TokenRequestAnchor, raw []byte) ([]any, driver.ValidationAttributes, error) { | ||
| logger.DebugfContext(ctx, "Verify token request from raw") | ||
| if len(raw) == 0 { | ||
| return nil, nil, errors.New("empty token request") | ||
| } | ||
|
|
||
| if v.ValidationConfig.MaxTokenRequestSize > 0 && len(raw) > v.ValidationConfig.MaxTokenRequestSize { | ||
| return nil, nil, errors.Errorf("token request too large: %d > %d", len(raw), v.ValidationConfig.MaxTokenRequestSize) | ||
| } | ||
| tr := &driver.TokenRequest{} | ||
| err := tr.FromBytes(raw) | ||
| if err != nil { | ||
| return nil, nil, errors.Wrap(err, "failed to unmarshal token request") | ||
| } | ||
|
|
||
| if v.ValidationConfig.MaxActionCount > 0 && len(tr.Actions) > v.ValidationConfig.MaxActionCount { | ||
| return nil, nil, errors.Errorf("too many actions: %d > %d", len(tr.Actions), v.ValidationConfig.MaxActionCount) | ||
| } | ||
|
|
||
| // Validate protocol version | ||
| if tr.Version == 0 { | ||
| return nil, nil, driver.ErrInvalidVersion | ||
|
|
@@ -186,6 +203,18 @@ func (v *Validator[P, T, TA, IA, DS]) VerifyTokenRequest( | |
| if err != nil { | ||
| return nil, nil, errors.Wrapf(err, "failed to verify issue actions [%s]", anchor) | ||
| } | ||
|
|
||
| totalOutputs := 0 | ||
| for _, action := range ia { | ||
| totalOutputs += action.NumOutputs() | ||
| } | ||
| for _, action := range ta { | ||
| totalOutputs += action.NumOutputs() | ||
| } | ||
| if v.ValidationConfig.MaxTokenOutputsPerTx > 0 && totalOutputs > v.ValidationConfig.MaxTokenOutputsPerTx { | ||
| return nil, nil, errors.Errorf("too many token outputs: %d > %d", totalOutputs, v.ValidationConfig.MaxTokenOutputsPerTx) | ||
| } | ||
|
|
||
| err = v.verifyTransfers(ctx, anchor, tr, ledger, ta, signatureProvider, attributes) | ||
| if err != nil { | ||
| return nil, nil, errors.Wrapf(err, "failed to verify transfer actions [%s]", anchor) | ||
|
|
@@ -265,6 +294,27 @@ func (v *Validator[P, T, TA, IA, DS]) VerifyIssue( | |
| MetadataCounter: map[string]int{}, | ||
| Attributes: attributes, | ||
| } | ||
|
|
||
| // Check outputs | ||
| if v.ValidationConfig.MaxTokenPayloadSize > 0 || v.ValidationConfig.MaxOwnerRawSize > 0 { | ||
| outputs := action.GetOutputs() | ||
| for i, output := range outputs { | ||
| raw, err := output.Serialize() | ||
| if err != nil { | ||
| return errors.Wrapf(err, "failed to serialize output at index %d", i) | ||
| } | ||
| if v.ValidationConfig.MaxTokenPayloadSize > 0 && len(raw) > v.ValidationConfig.MaxTokenPayloadSize { | ||
|
Contributor
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. A limit of 0 means two opposite things:
So an operator who sets maxTokenOutputsPerTx: 0 expecting "unlimited" would instead block every append. I think we need to fix this and add the same > 0 guard in tokens.go so 0 means "unlimited" in both places. |
||
| return errors.Errorf("output payload too large at index %d: %d > %d", i, len(raw), v.ValidationConfig.MaxTokenPayloadSize) | ||
| } | ||
| if v.ValidationConfig.MaxOwnerRawSize > 0 && len(output.GetOwner()) > v.ValidationConfig.MaxOwnerRawSize { | ||
| return errors.Errorf("owner raw too large at index %d: %d > %d", i, len(output.GetOwner()), v.ValidationConfig.MaxOwnerRawSize) | ||
| } | ||
| } | ||
| } | ||
| if v.ValidationConfig.MaxIssuerRawSize > 0 && len(action.GetIssuer()) > v.ValidationConfig.MaxIssuerRawSize { | ||
| return errors.Errorf("issuer raw too large: %d > %d", len(action.GetIssuer()), v.ValidationConfig.MaxIssuerRawSize) | ||
| } | ||
|
|
||
| for _, v := range v.IssueValidators { | ||
| if err := v(ctx, context); err != nil { | ||
| return err | ||
|
|
@@ -328,6 +378,27 @@ func (v *Validator[P, T, TA, IA, DS]) VerifyTransfer( | |
| MetadataCounter: map[MetadataCounterID]int{}, | ||
| Attributes: attributes, | ||
| } | ||
|
|
||
| // Check outputs | ||
| if v.ValidationConfig.MaxTokenPayloadSize > 0 || v.ValidationConfig.MaxOwnerRawSize > 0 { | ||
| outputs := action.GetOutputs() | ||
| for i, output := range outputs { | ||
| raw, err := output.Serialize() | ||
| if err != nil { | ||
| return errors.Wrapf(err, "failed to serialize output at index %d", i) | ||
| } | ||
| if v.ValidationConfig.MaxTokenPayloadSize > 0 && len(raw) > v.ValidationConfig.MaxTokenPayloadSize { | ||
| return errors.Errorf("output payload too large at index %d: %d > %d", i, len(raw), v.ValidationConfig.MaxTokenPayloadSize) | ||
| } | ||
| if v.ValidationConfig.MaxOwnerRawSize > 0 && len(output.GetOwner()) > v.ValidationConfig.MaxOwnerRawSize { | ||
| return errors.Errorf("owner raw too large at index %d: %d > %d", i, len(output.GetOwner()), v.ValidationConfig.MaxOwnerRawSize) | ||
| } | ||
| } | ||
| } | ||
| if v.ValidationConfig.MaxIssuerRawSize > 0 && len(action.GetIssuer()) > v.ValidationConfig.MaxIssuerRawSize { | ||
| return errors.Errorf("issuer raw too large: %d > %d", len(action.GetIssuer()), v.ValidationConfig.MaxIssuerRawSize) | ||
| } | ||
|
|
||
| for _, v := range v.TransferValidators { | ||
| if err := v(ctx, context); err != nil { | ||
| return err | ||
|
|
||
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Version 0 is now accepted, but it used to be rejected. Why this is removed? This makes validation weaker, which is the opposite of what this PR is for, and it's not related to payload size limits.