Skip to content

fix(drive-abci): add input bounds to batch query endpoints#3296

Merged
QuantumExplorer merged 3 commits into
v3.1-devfrom
fix/unbounded-batch-query-dos
Mar 15, 2026
Merged

fix(drive-abci): add input bounds to batch query endpoints#3296
QuantumExplorer merged 3 commits into
v3.1-devfrom
fix/unbounded-batch-query-dos

Conversation

@QuantumExplorer

Copy link
Copy Markdown
Member

Issue being fixed or feature implemented

Security audit found that multiple batch query endpoints accept unlimited ID arrays with no bounds check. A malicious client can send millions of IDs, causing memory exhaustion and CPU starvation. The GetPathElements endpoint correctly enforces max_returned_elements limits, but these did not:

  • GetIdentitiesBalances - ids vector unbounded
  • GetDataContracts - ids vector unbounded
  • GetIdentitiesTokenBalances - identity_ids vector unbounded
  • GetIdentitiesTokenInfos - identity_ids vector unbounded
  • GetIdentityTokenBalances - token_ids vector unbounded
  • GetIdentityTokenInfos - token_ids vector unbounded
  • GetTokenStatuses - token_ids vector unbounded
  • GetTokenDirectPurchasePrices - token_ids vector unbounded
  • GetIdentitiesContractKeys - identities_ids vector unbounded
  • GetAddressesInfos - addresses vector unbounded

What was done?

Added max_returned_elements bounds checking to all 10 vulnerable batch query endpoints, following the exact pattern from the GetPathElements reference implementation. Each endpoint now checks the input array length against platform_version.drive_abci.query.max_returned_elements and returns QuerySyntaxError::InvalidLimit when exceeded.

Also added comprehensive tests for each endpoint verifying:

  • Queries exceeding the limit are rejected with InvalidLimit error
  • Queries at exactly the limit are accepted (boundary test)

How Has This Been Tested?

  • Tests verify queries exceeding limit are rejected (20 new tests total, 2 per endpoint)
  • Tests verify queries within/at limit still work
  • cargo check -p drive-abci passes
  • cargo clippy -p drive-abci clean
  • cargo fmt --all applied

Breaking Changes

None. Clients sending more than max_returned_elements (currently 100) IDs in a single batch query will now receive an error instead of the server attempting to process the request. This is the intended behavior matching the existing GetPathElements endpoint.

Checklist:

  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have added or updated relevant unit/integration/functional/e2e tests
  • I have added "!" to the title and described breaking changes in the corresponding section if my code contains any
  • I have made corresponding changes to the documentation if needed

🤖 Generated with Claude Code

Add max_returned_elements bounds checking to all batch query endpoints
that accept arrays of identifiers without enforcing a maximum count.
This prevents denial-of-service attacks via queries with millions of IDs
that could cause memory exhaustion and CPU starvation.

Endpoints fixed:
- GetIdentitiesBalances (ids)
- GetDataContracts (ids)
- GetIdentitiesTokenBalances (identity_ids)
- GetIdentitiesTokenInfos (identity_ids)
- GetIdentityTokenBalances (token_ids)
- GetIdentityTokenInfos (token_ids)
- GetTokenStatuses (token_ids)
- GetTokenDirectPurchasePrices (token_ids)
- GetIdentitiesContractKeys (identities_ids)
- GetAddressesInfos (addresses)

All checks follow the same pattern as the existing GetPathElements
endpoint, using platform_version.drive_abci.query.max_returned_elements
and returning QuerySyntaxError::InvalidLimit when exceeded.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Mar 15, 2026

Copy link
Copy Markdown
Contributor

Warning

Rate limit exceeded

@QuantumExplorer has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 18 minutes and 59 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9935e9e3-e720-4484-baa5-47cb1857b7c2

📥 Commits

Reviewing files that changed from the base of the PR and between b42be00 and a27a089.

📒 Files selected for processing (10)
  • packages/rs-drive-abci/src/query/address_funds/addresses_infos/v0/mod.rs
  • packages/rs-drive-abci/src/query/data_contract_based_queries/data_contracts/v0/mod.rs
  • packages/rs-drive-abci/src/query/identity_based_queries/balances/v0/mod.rs
  • packages/rs-drive-abci/src/query/identity_based_queries/identities_contract_keys/v0/mod.rs
  • packages/rs-drive-abci/src/query/token_queries/identities_token_balances/v0/mod.rs
  • packages/rs-drive-abci/src/query/token_queries/identities_token_infos/v0/mod.rs
  • packages/rs-drive-abci/src/query/token_queries/identity_token_balances/v0/mod.rs
  • packages/rs-drive-abci/src/query/token_queries/identity_token_infos/v0/mod.rs
  • packages/rs-drive-abci/src/query/token_queries/token_direct_purchase_prices/v0/mod.rs
  • packages/rs-drive-abci/src/query/token_queries/token_status/v0/mod.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch fix/unbounded-batch-query-dos
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@github-actions github-actions Bot added this to the v3.1.0 milestone Mar 15, 2026
@codecov

codecov Bot commented Mar 15, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 94.76440% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 71.09%. Comparing base (b0c1667) to head (a27a089).
⚠️ Report is 9 commits behind head on v3.1-dev.

Files with missing lines Patch % Lines
.../src/query/address_funds/addresses_infos/v0/mod.rs 95.00% 2 Missing ⚠️
...ta_contract_based_queries/data_contracts/v0/mod.rs 94.44% 2 Missing ⚠️
...rc/query/identity_based_queries/balances/v0/mod.rs 94.44% 2 Missing ⚠️
...y_based_queries/identities_contract_keys/v0/mod.rs 95.65% 2 Missing ⚠️
.../token_queries/identities_token_balances/v0/mod.rs 94.73% 2 Missing ⚠️
...ery/token_queries/identities_token_infos/v0/mod.rs 94.73% 2 Missing ⚠️
...ry/token_queries/identity_token_balances/v0/mod.rs 94.73% 2 Missing ⚠️
...query/token_queries/identity_token_infos/v0/mod.rs 94.73% 2 Missing ⚠️
...ken_queries/token_direct_purchase_prices/v0/mod.rs 94.44% 2 Missing ⚠️
...bci/src/query/token_queries/token_status/v0/mod.rs 94.44% 2 Missing ⚠️
Additional details and impacted files
@@             Coverage Diff              @@
##           v3.1-dev    #3296      +/-   ##
============================================
+ Coverage     71.05%   71.09%   +0.03%     
============================================
  Files          3293     3293              
  Lines        265909   266291     +382     
============================================
+ Hits         188951   189310     +359     
- Misses        76958    76981      +23     
Components Coverage Δ
dpp 60.13% <ø> (ø)
drive 78.18% <ø> (ø)
drive-abci 83.55% <94.76%> (+0.05%) ⬆️
sdk 31.25% <ø> (ø)
dapi-client 39.08% <ø> (ø)
platform-version ∅ <ø> (∅)
platform-value 39.83% <ø> (ø)
platform-wallet 60.40% <ø> (ø)
drive-proof-verifier ∅ <ø> (∅)
🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@QuantumExplorer QuantumExplorer merged commit 850cd48 into v3.1-dev Mar 15, 2026
17 checks passed
@QuantumExplorer QuantumExplorer deleted the fix/unbounded-batch-query-dos branch March 15, 2026 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant