fix(drive-abci): add input bounds to batch query endpoints#3296
Conversation
Add max_returned_elements bounds checking to all batch query endpoints that accept arrays of identifiers without enforcing a maximum count. This prevents denial-of-service attacks via queries with millions of IDs that could cause memory exhaustion and CPU starvation. Endpoints fixed: - GetIdentitiesBalances (ids) - GetDataContracts (ids) - GetIdentitiesTokenBalances (identity_ids) - GetIdentitiesTokenInfos (identity_ids) - GetIdentityTokenBalances (token_ids) - GetIdentityTokenInfos (token_ids) - GetTokenStatuses (token_ids) - GetTokenDirectPurchasePrices (token_ids) - GetIdentitiesContractKeys (identities_ids) - GetAddressesInfos (addresses) All checks follow the same pattern as the existing GetPathElements endpoint, using platform_version.drive_abci.query.max_returned_elements and returning QuerySyntaxError::InvalidLimit when exceeded. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (10)
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## v3.1-dev #3296 +/- ##
============================================
+ Coverage 71.05% 71.09% +0.03%
============================================
Files 3293 3293
Lines 265909 266291 +382
============================================
+ Hits 188951 189310 +359
- Misses 76958 76981 +23
🚀 New features to boost your workflow:
|
Issue being fixed or feature implemented
Security audit found that multiple batch query endpoints accept unlimited ID arrays with no bounds check. A malicious client can send millions of IDs, causing memory exhaustion and CPU starvation. The
GetPathElementsendpoint correctly enforcesmax_returned_elementslimits, but these did not:GetIdentitiesBalances-idsvector unboundedGetDataContracts-idsvector unboundedGetIdentitiesTokenBalances-identity_idsvector unboundedGetIdentitiesTokenInfos-identity_idsvector unboundedGetIdentityTokenBalances-token_idsvector unboundedGetIdentityTokenInfos-token_idsvector unboundedGetTokenStatuses-token_idsvector unboundedGetTokenDirectPurchasePrices-token_idsvector unboundedGetIdentitiesContractKeys-identities_idsvector unboundedGetAddressesInfos-addressesvector unboundedWhat was done?
Added
max_returned_elementsbounds checking to all 10 vulnerable batch query endpoints, following the exact pattern from theGetPathElementsreference implementation. Each endpoint now checks the input array length againstplatform_version.drive_abci.query.max_returned_elementsand returnsQuerySyntaxError::InvalidLimitwhen exceeded.Also added comprehensive tests for each endpoint verifying:
InvalidLimiterrorHow Has This Been Tested?
cargo check -p drive-abcipassescargo clippy -p drive-abcicleancargo fmt --allappliedBreaking Changes
None. Clients sending more than
max_returned_elements(currently 100) IDs in a single batch query will now receive an error instead of the server attempting to process the request. This is the intended behavior matching the existingGetPathElementsendpoint.Checklist:
🤖 Generated with Claude Code