Merge pull request #5336 from oasisprotocol/kostko/stable/22.2.x/back…

…port-5335

[BACKPORT/22.2.x] go/common/cbor: Relax CBOR decoding for gRPC/RHP endpoints

.changelog/5335.bugfix.md

@@ -0,0 +1 @@
+go/common/cbor: Relax CBOR decoding for gRPC/RHP endpoints

.changelog/5337.internal.md

@@ -0,0 +1 @@
+go: Bump golang.org/x/net to 0.13.0

.changelog/5338.internal.md

@@ -0,0 +1 @@
+go: Bump go-libp2p to 0.29.1

go/common/cbor/cbor.go

@@ -53,9 +53,20 @@ var (
 		MaxMapPairs:      2147483647, // Maximum allowed.
 	}
 
+	// decOptionsRPC are decoding options for gRPC endpoints. They are only used when explicitly
+	// requested by using the UnmarshalRPC method.
+	decOptionsRPC = cbor.DecOptions{
+		DupMapKey:        cbor.DupMapKeyEnforcedAPF,
+		IndefLength:      cbor.IndefLengthForbidden,
+		TagsMd:           cbor.TagsForbidden,
+		MaxArrayElements: 10_000_000, // Usually limited by blob size limits anyway.
+		MaxMapPairs:      10_000_000, // Usually limited by blob size limits anyway.
+	}
+
 	encMode        cbor.EncMode
 	decMode        cbor.DecMode
 	decModeTrusted cbor.DecMode
+	decModeRPC     cbor.DecMode
 )
 
 func init() {
@@ -69,6 +80,9 @@ func init() {
 	if decModeTrusted, err = decOptionsTrusted.DecMode(); err != nil {
 		panic(err)
 	}
+	if decModeRPC, err = decOptionsRPC.DecMode(); err != nil {
+		panic(err)
+	}
 }
 
 // FixSliceForSerde will convert `nil` to `[]byte` to work around serde
@@ -109,6 +123,17 @@ func UnmarshalTrusted(data []byte, dst interface{}) error {
 	return decModeTrusted.Unmarshal(data, dst)
 }
 
+// UnmarshalRPC deserializes a CBOR byte vector into a given type.
+//
+// This method is suitable for RPC endpoints as it relaxes some decoding restrictions.
+func UnmarshalRPC(data []byte, dst interface{}) error {
+	if data == nil {
+		return nil
+	}
+
+	return decModeRPC.Unmarshal(data, dst)
+}
+
 // MustUnmarshal deserializes a CBOR byte vector into a given type.
 // Panics if unmarshal fails.
 func MustUnmarshal(data []byte, dst interface{}) {
@@ -126,3 +151,8 @@ func NewEncoder(w io.Writer) *cbor.Encoder {
 func NewDecoder(r io.Reader) *cbor.Decoder {
 	return decMode.NewDecoder(r)
 }
+
+// NewDecoderRPC creates a new CBOR decoder with relaxed decoding restrictions.
+func NewDecoderRPC(r io.Reader) *cbor.Decoder {
+	return decModeRPC.NewDecoder(r)
+}

go/common/cbor/cbor_test.go

@@ -44,9 +44,17 @@ func TestEncoderDecoder(t *testing.T) {
 	err = dec.Decode(&x)
 	require.NoError(err, "Decode")
 	require.EqualValues(42, x, "decoded value should be correct")
+
+	err = enc.Encode(32)
+	require.NoError(err, "Encode")
+
+	dec = NewDecoderRPC(&buf)
+	err = dec.Decode(&x)
+	require.NoError(err, "Decode")
+	require.EqualValues(32, x, "decoded value should be correct")
 }
 
-func TestDecodeUnknowField(t *testing.T) {
+func TestDecodeUnknownField(t *testing.T) {
 	require := require.New(t)
 
 	type a struct {
@@ -69,4 +77,7 @@ func TestDecodeUnknowField(t *testing.T) {
 
 	err = UnmarshalTrusted(raw, &dec)
 	require.NoError(err, "unknown fields from trusted sources should pass")
+
+	err = UnmarshalRPC(raw, &dec)
+	require.NoError(err, "unknown fields from RPC should pass")
 }

go/common/cbor/codec.go

@@ -56,7 +56,7 @@ func (c *MessageReader) Read(msg interface{}) error {
 
 	// Decode message bytes.
 	r := io.LimitReader(c.reader, int64(length))
-	dec := NewDecoder(r)
+	dec := NewDecoderRPC(r)
 	if err := dec.Decode(msg); err != nil {
 		return err
 	}

go/common/grpc/cbor.go

@@ -17,7 +17,7 @@ func (c *CBORCodec) Marshal(v interface{}) ([]byte, error) {
 }
 
 func (c *CBORCodec) Unmarshal(data []byte, v interface{}) error {
-	return cbor.Unmarshal(data, v)
+	return cbor.UnmarshalRPC(data, v)
 }
 
 func (c *CBORCodec) Name() string {

go/go.mod

@@ -34,9 +34,9 @@ require (
 	github.com/hashicorp/go-plugin v1.4.5
 	github.com/hpcloud/tail v1.0.0
 	github.com/ipfs/go-log/v2 v2.5.1
-	github.com/libp2p/go-libp2p v0.28.1
+	github.com/libp2p/go-libp2p v0.29.1
 	github.com/libp2p/go-libp2p-pubsub v0.9.3
-	github.com/multiformats/go-multiaddr v0.9.0
+	github.com/multiformats/go-multiaddr v0.10.1
 	github.com/oasisprotocol/curve25519-voi v0.0.0-20220708102147-0a8a51822cae
 	github.com/oasisprotocol/deoxysii v0.0.0-20220228165953-2091330c22b7
 	github.com/olekukonko/tablewriter v0.0.5
@@ -48,15 +48,15 @@ require (
 	github.com/spf13/cobra v1.5.0
 	github.com/spf13/pflag v1.0.5
 	github.com/spf13/viper v1.13.0
-	github.com/stretchr/testify v1.8.2
+	github.com/stretchr/testify v1.8.4
 	github.com/tendermint/tendermint v0.34.21
 	github.com/tendermint/tm-db v0.6.6
 	github.com/thepudds/fzgo v0.2.2
 	github.com/tyler-smith/go-bip39 v1.1.0
 	go.uber.org/multierr v1.11.0
 	go.uber.org/zap v1.24.0
-	golang.org/x/crypto v0.7.0
-	golang.org/x/net v0.10.0
+	golang.org/x/crypto v0.11.0
+	golang.org/x/net v0.13.0
 	google.golang.org/genproto v0.0.0-20230110181048-76db0878b65f
 	google.golang.org/grpc v1.53.0
 	google.golang.org/grpc/security/advancedtls v0.0.0-20221004221323-12db695f1648
@@ -102,7 +102,7 @@ require (
 	github.com/google/gofuzz v1.0.0 // indirect
 	github.com/google/gopacket v1.1.19 // indirect
 	github.com/google/orderedcode v0.0.1 // indirect
-	github.com/google/pprof v0.0.0-20230602150820-91b7bce49751 // indirect
+	github.com/google/pprof v0.0.0-20230705174524-200ffdc848b8 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
 	github.com/gtank/merlin v0.1.1 // indirect
@@ -119,7 +119,7 @@ require (
 	github.com/jbenet/goprocess v0.1.4 // indirect
 	github.com/jmhodges/levigo v1.0.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.16.5 // indirect
+	github.com/klauspost/compress v1.16.7 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.5 // indirect
 	github.com/koron/go-ssdp v0.0.4 // indirect
 	github.com/lib/pq v1.10.6 // indirect
@@ -131,14 +131,14 @@ require (
 	github.com/libp2p/go-nat v0.2.0 // indirect
 	github.com/libp2p/go-netroute v0.2.1 // indirect
 	github.com/libp2p/go-reuseport v0.3.0 // indirect
-	github.com/libp2p/go-yamux/v4 v4.0.0 // indirect
+	github.com/libp2p/go-yamux/v4 v4.0.1 // indirect
 	github.com/magiconair/properties v1.8.6 // indirect
 	github.com/marten-seemann/tcp v0.0.0-20210406111302-dfbc87cc63fd // indirect
 	github.com/mattn/go-colorable v0.1.12 // indirect
 	github.com/mattn/go-isatty v0.0.19 // indirect
 	github.com/mattn/go-runewidth v0.0.9 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
-	github.com/miekg/dns v1.1.54 // indirect
+	github.com/miekg/dns v1.1.55 // indirect
 	github.com/mikioh/tcpinfo v0.0.0-20190314235526-30a79bb1804b // indirect
 	github.com/mikioh/tcpopt v0.0.0-20190314235656-172688c1accc // indirect
 	github.com/mimoo/StrobeGo v0.0.0-20181016162300-f8f6d4d2b643 // indirect
@@ -155,13 +155,13 @@ require (
 	github.com/multiformats/go-multiaddr-fmt v0.1.0 // indirect
 	github.com/multiformats/go-multibase v0.2.0 // indirect
 	github.com/multiformats/go-multicodec v0.9.0 // indirect
-	github.com/multiformats/go-multihash v0.2.2 // indirect
+	github.com/multiformats/go-multihash v0.2.3 // indirect
 	github.com/multiformats/go-multistream v0.4.1 // indirect
 	github.com/multiformats/go-varint v0.0.7 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
 	github.com/oasisprotocol/safeopen v0.0.0-20200528085122-e01cfdfc7661 // indirect
 	github.com/oklog/run v1.0.0 // indirect
-	github.com/onsi/ginkgo/v2 v2.9.7 // indirect
+	github.com/onsi/ginkgo/v2 v2.11.0 // indirect
 	github.com/opencontainers/runtime-spec v1.0.3-0.20210326190908-1c3f411f0417 // indirect
 	github.com/pbnjay/memory v0.0.0-20210728143218-7b4eea64cf58 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
@@ -171,9 +171,9 @@ require (
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/prometheus/client_model v0.4.0 // indirect
 	github.com/quic-go/qpack v0.4.0 // indirect
-	github.com/quic-go/qtls-go1-19 v0.3.2 // indirect
-	github.com/quic-go/qtls-go1-20 v0.2.2 // indirect
-	github.com/quic-go/quic-go v0.33.0 // indirect
+	github.com/quic-go/qtls-go1-19 v0.3.3 // indirect
+	github.com/quic-go/qtls-go1-20 v0.2.3 // indirect
+	github.com/quic-go/quic-go v0.36.3 // indirect
 	github.com/quic-go/webtransport-go v0.5.3 // indirect
 	github.com/raulk/go-watchdog v1.3.0 // indirect
 	github.com/rcrowley/go-metrics v0.0.0-20200313005456-10cdbea86bc0 // indirect
@@ -191,13 +191,13 @@ require (
 	go.opencensus.io v0.23.0 // indirect
 	go.uber.org/atomic v1.11.0 // indirect
 	go.uber.org/dig v1.17.0 // indirect
-	go.uber.org/fx v1.19.2 // indirect
-	golang.org/x/exp v0.0.0-20230321023759-10a507213a29 // indirect
-	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/sync v0.2.0 // indirect
-	golang.org/x/sys v0.8.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
-	golang.org/x/tools v0.9.1 // indirect
+	go.uber.org/fx v1.20.0 // indirect
+	golang.org/x/exp v0.0.0-20230713183714-613f0c0eb8a1 // indirect
+	golang.org/x/mod v0.12.0 // indirect
+	golang.org/x/sync v0.3.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
+	golang.org/x/text v0.11.0 // indirect
+	golang.org/x/tools v0.11.0 // indirect
 	gopkg.in/fsnotify.v1 v1.4.7 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect