Json RPC method parameter validation #2097
Conversation
… blockHash, Tx Hash and Hex Index parameters and deserializers
asoto-iov
requested review from
Vovchyk,
casiojapi,
rmoreliovlabs and
illuque-iov
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| import static org.mockito.Mockito.mock; | ||
| import static org.mockito.Mockito.when; | ||
|
|
||
| class JsonRPCParamValidationTest { |
Check notice
Code scanning / CodeQL
Unused classes and interfaces Note test
….. related methods having parameter validation
|
|
||
| @Test | ||
| void eth_getTransactionByHash_invalidHash_returnsError() throws Exception { | ||
| TransactionResultDTO resultDTO = mock(TransactionResultDTO.class); |
Check notice
Code scanning / CodeQL
Unread local variable Note test
|
|
||
| String preResult = removeHexPrefix(param); | ||
|
|
||
| return Integer.parseInt(preResult, 16); |
Check notice
Code scanning / CodeQL
Missing catch of NumberFormatException Note
|
pipeline:run |
| public BlockRefParam deserialize(JsonParser jp, DeserializationContext ctxt) throws IOException { | ||
| BlockRef blockRef = mapper.readValue(jp, BlockRef.class); | ||
| return new BlockRefParam(blockRef); | ||
| } |
There was a problem hiding this comment.
here we'd need to support two cases and validate them:
- value is a blockId, eg. number "0x123" or tag "latest" (
String) - value is an JSON object with all supported fields, eg. blockNumber or requireCanonical (
Map<String, String>)
…nd eth_getFilterLogs. Fixing failing test from previous commit
Adding new FilterResquest Parameter class for JsonPRC
| public interface EthModuleWallet { | ||
|
|
||
| String[] accounts(); | ||
|
|
||
| String sign(String addr, String data); | ||
| String sign(HexAddressParam addr, HexDataParam data); |
There was a problem hiding this comment.
About this change, I think we shouldn't add the specific JsonRPC parameters here, we could keep the string or directly update to the address and data classes.
The Json PRC parameter classes should be used only under the jsonRPC domain.
There was a problem hiding this comment.
I understand, I will revert the changes for this one.
…ccount_method Check null value in newAccount method
| try { | ||
| this.rawDataBytes = HexUtils.stringHexToByteArray(rawData); | ||
| } catch (Exception e) { | ||
| throw RskJsonRpcRequestException.invalidParamError("Invalid data format. " + e.getMessage()); |
There was a problem hiding this comment.
I guess we should not expose an Exception's message to a user, I'd rather do it this way:
throw RskJsonRpcRequestException.invalidParamError("Invalid data format", e);
Messages are returned in JSON-RPC responses
There was a problem hiding this comment.
Please also check other param classes, eg HashParam32, HexAddressParam etc
There was a problem hiding this comment.
@Vovchyk @asoto-iov I overlooked that using the e object will still expose the exception message, so I updated these errors to "Invalid data format: invalid hex value". I think this also will keep it consistent with the rest of the code since we don't use the exception message for any of the other validation errors. Let me know what you think.
There was a problem hiding this comment.
@rmoreliovlabs, you can still pass exception as the last parameter in the list, so it'd be printed in logs later - like in the example above
| @@ -0,0 +1,51 @@ | |||
| package org.ethereum.rpc.parameters; | |||
| @@ -0,0 +1,102 @@ | |||
| package org.ethereum.rpc.parameters; | |||
| @@ -0,0 +1,127 @@ | |||
| package org.ethereum.rpc.parameters; | |||
| @@ -0,0 +1,48 @@ | |||
| package org.ethereum.rpc.parameters; | |||
| @@ -0,0 +1,49 @@ | |||
| package org.ethereum.rpc.parameters; | |||
| @@ -0,0 +1,41 @@ | |||
| package org.ethereum.rpc.parameters; | |||
| @@ -0,0 +1,45 @@ | |||
| package org.ethereum.rpc.parameters; | |||
| @@ -0,0 +1,50 @@ | |||
| package org.ethereum.rpc.parameters; | |||
| @@ -0,0 +1,16 @@ | |||
| package org.ethereum.rpc.parameters; | |||
There was a problem hiding this comment.
I've added the (C) header to all new files that were missing it, thanks for catching that.
|
pipeline:run |
…equest_parameter Adding support for null topics
| " \"topics\":[\"0x000000000000000000000000000000006d696e696e675f6665655f746f706963\", null, [\"0x000000000000000000000000000000006d696e696e675f6665655f746f706963\",null]]}"; | ||
| JsonNode jsonNode = objectMapper.readTree(filterRequestInput); | ||
| FilterRequestParam filterRequestParam = objectMapper.convertValue(jsonNode, FilterRequestParam.class); | ||
| FilterRequest fr = objectMapper.convertValue(jsonNode, FilterRequest.class); |
Check notice
Code scanning / CodeQL
Unread local variable Note test
Vovchyk
force-pushed
the
json_rpc_param_validation
branch
from
2ad2c49
to
55b42e8
Compare
Added proper handling of number parsing
|
pipeline:run |
|
Kudos, SonarCloud Quality Gate passed! |
Description
Motivation and Context
How Has This Been Tested?
Types of changes
Checklist: