Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Audit JSON unmarshaller schemes for max allowed nested depth #3131

Closed
AnnaShaleva opened this issue Sep 18, 2023 · 3 comments · Fixed by #3221
Closed

Audit JSON unmarshaller schemes for max allowed nested depth #3131

AnnaShaleva opened this issue Sep 18, 2023 · 3 comments · Fixed by #3221
Assignees
@AnnaShaleva
Labels
enhancement Improving existing functionality rpc RPC server and client
Milestone
v0.104.0

Comments

@AnnaShaleva
Copy link
Member

AnnaShaleva commented Sep 18, 2023
edited
Loading

Pay special attention to neorpc.SignerWithWitness. Some constraints are not checked during transaction.Transaction unmashalling (comparing with the binary transaction deserialisation).
One of the known problem is related to neo-project/neo#2950: we don't have the problem with maximum depth, but we have a problem with unlimited number of Rules items in slice. Signers may also be checked, not sure whether they are restricted now.
@AnnaShaleva AnnaShaleva added rpc RPC server and client enhancement Improving existing functionality labels Sep 18, 2023
@AnnaShaleva AnnaShaleva added this to the v0.103.0 milestone Sep 18, 2023
@AnnaShaleva
Copy link
Member Author

And port neo-project/neo#2951 if needed (we already have some of these constraints event in JSON).

@AnnaShaleva
Copy link
Member Author

See also neo-project/neo@bfe6d13 and neo-project/neo#2912. It doesn't affect the core protocol (although we should check native Management's deploy/update), but some RPC service may be affected.

@AnnaShaleva AnnaShaleva changed the title Audit neorpc.SignerWithWitness unmarshalling scheme Audit JSON unmarshaller schemes for max allowed nested depth Nov 9, 2023
@AnnaShaleva
Copy link
Member Author

See also neo-project/neo-modules#827.

@AnnaShaleva AnnaShaleva mentioned this issue Nov 20, 2023
Merged
@AnnaShaleva AnnaShaleva self-assigned this Nov 22, 2023
AnnaShaleva added a commit that referenced this issue Nov 23, 2023
@AnnaShaleva
neorpc: restrict maximum subitems number in SignerWithWitness
22c654b 
Restrict the number of Rules, Contracts and Groups. A part of #3131.

Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
AnnaShaleva added a commit that referenced this issue Nov 23, 2023
@AnnaShaleva
neorpc: restrict the number of ExecutionResults in application log
8b7c704 
A part of #3131.

Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
AnnaShaleva added a commit that referenced this issue Nov 23, 2023
@AnnaShaleva
config: add MaxRequestBodySize RPC configuration
c3466f5 
A part of #3131, follow the neo-project/neo-modules#827.

Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
AnnaShaleva added a commit that referenced this issue Nov 23, 2023
@AnnaShaleva
confi: add MaxRequestHeaderBytes RPC configuration option
e6e1558 
A part of #3131, follow the notion of neo-project/neo-modules#827,
but don't restrict request line size due to golang/go#15494.

Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
AnnaShaleva added a commit that referenced this issue Nov 23, 2023
@AnnaShaleva
config: add MaxRequestBodySize RPC configuration option
a671952 
A part of #3131, follow the neo-project/neo-modules#827.

Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
AnnaShaleva added a commit that referenced this issue Nov 23, 2023
@AnnaShaleva
confi: add MaxRequestHeaderBytes RPC configuration option
22c032b 
A part of #3131, follow the notion of neo-project/neo-modules#827,
but don't restrict request line size due to golang/go#15494.

Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
@AnnaShaleva AnnaShaleva mentioned this issue Nov 23, 2023
Merged
AnnaShaleva added a commit that referenced this issue Nov 23, 2023
@AnnaShaleva
config: add MaxRequestBodySize RPC configuration option
802d8d2 
A part of #3131, follow the neo-project/neo-modules#827.

Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
AnnaShaleva added a commit that referenced this issue Nov 23, 2023
@AnnaShaleva
confi: add MaxRequestHeaderBytes RPC configuration option
d511f6e 
A part of #3131, follow the notion of neo-project/neo-modules#827,
but don't restrict request line size due to golang/go#15494.

Signed-off-by: Anna Shaleva <shaleva.ann@nspcc.ru>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AnnaShaleva AnnaShaleva

Labels
enhancement Improving existing functionality rpc RPC server and client
Projects
None yet
Milestone
v0.104.0
Development

Successfully merging a pull request may close this issue.

Anti-DOS RPC limitations nspcc-dev/neo-go
1 participant
@AnnaShaleva