xdr: Enforce maximum decoding allocation size

stellar · Nov 15, 2023 · 7db83fb · 7db83fb
1 parent 7bdbc7b
commit 7db83fb
Show file tree

Hide file tree

Showing 10 changed files with 2,395 additions and 1,997 deletions.
diff --git a/Makefile b/Makefile
@@ -14,7 +14,7 @@ xdr/Stellar-contract.x \
 xdr/Stellar-internal.x \
 xdr/Stellar-contract-config-setting.x
 
-XDRGEN_COMMIT=a231a92475ac6154c0c2f46dc503809823985060
+XDRGEN_COMMIT=bc3719f8954c0de37165a3e275a222fc9c5e1fd0
 XDR_COMMIT=6a620d160aab22609c982d54578ff6a63bfcdc01
 
 .PHONY: xdr xdr-clean xdr-update

diff --git a/go.mod b/go.mod
@@ -42,7 +42,7 @@ require (
 	github.com/spf13/cobra v0.0.5
 	github.com/spf13/pflag v1.0.3
 	github.com/spf13/viper v1.3.2
-	github.com/stellar/go-xdr v0.0.0-20230919160922-6c7b68458206
+	github.com/stellar/go-xdr v0.0.0-20231115164933-30dd2ac849fd
 	github.com/stellar/throttled v2.2.3-0.20190823235211-89d75816f59d+incompatible
 	github.com/stretchr/testify v1.8.1
 	github.com/tyler-smith/go-bip39 v0.0.0-20180618194314-52158e4697b8

diff --git a/go.sum b/go.sum
@@ -325,8 +325,8 @@ github.com/spf13/pflag v1.0.3 h1:zPAT6CGy6wXeQ7NtTnaTerfKOsV6V6F8agHXFiazDkg=
 github.com/spf13/pflag v1.0.3/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=
 github.com/spf13/viper v1.3.2 h1:VUFqw5KcqRf7i70GOzW7N+Q7+gxVBkSSqiXB12+JQ4M=
 github.com/spf13/viper v1.3.2/go.mod h1:ZiWeW+zYFKm7srdB9IoDzzZXaJaI5eL9QjNiN/DMA2s=
-github.com/stellar/go-xdr v0.0.0-20230919160922-6c7b68458206 h1:UFuvvpbWL8+jqO1QmKYWSVhiMp4MRiIFd8/zQlUINH0=
-github.com/stellar/go-xdr v0.0.0-20230919160922-6c7b68458206/go.mod h1:yoxyU/M8nl9LKeWIoBrbDPQ7Cy+4jxRcWcOayZ4BMps=
+github.com/stellar/go-xdr v0.0.0-20231115164933-30dd2ac849fd h1:eLc2Csvf+GgY/l5t6cYJRsx+KSBbS3x/UM386DkB2N8=
+github.com/stellar/go-xdr v0.0.0-20231115164933-30dd2ac849fd/go.mod h1:yoxyU/M8nl9LKeWIoBrbDPQ7Cy+4jxRcWcOayZ4BMps=
 github.com/stellar/throttled v2.2.3-0.20190823235211-89d75816f59d+incompatible h1:jMXXAcz6xTarGDQ4VtVbtERogcmDQw4RaE85Cr9CgoQ=
 github.com/stellar/throttled v2.2.3-0.20190823235211-89d75816f59d+incompatible/go.mod h1:7CJ23pXirXBJq45DqvO6clzTEGM/l1SfKrgrzLry8b4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=

diff --git a/gxdr/validator.go b/gxdr/validator.go
diff --git a/gxdr/validator_test.go b/gxdr/validator_test.go
diff --git a/ingest/ledgerbackend/buffered_meta_pipe_reader.go b/ingest/ledgerbackend/buffered_meta_pipe_reader.go
@@ -97,7 +97,7 @@ func (b *bufferedLedgerMetaReader) readLedgerMetaFromPipe() (*xdr.LedgerCloseMet
 	}
 
 	var xlcm xdr.LedgerCloseMeta
-	_, err = xlcm.DecodeFrom(b.decoder, xdr3.DecodeDefaultMaxDepth)
+	_, err = xlcm.DecodeFrom(b.decoder, xdr3.DecodeDefaultMaxDepth, 0)
 	if err != nil {
 		return nil, errors.Wrap(err, "unmarshaling framed LedgerCloseMeta")
 	}

diff --git a/services/horizon/internal/actions/submit_transaction.go b/services/horizon/internal/actions/submit_transaction.go
@@ -6,7 +6,6 @@ import (
 	"mime"
 	"net/http"
 
-	"github.com/stellar/go/gxdr"
 	"github.com/stellar/go/network"
 	"github.com/stellar/go/protocols/horizon"
 	hProblem "github.com/stellar/go/services/horizon/internal/render/problem"
@@ -23,9 +22,10 @@ type NetworkSubmitter interface {
 }
 
 type SubmitTransactionHandler struct {
-	Submitter         NetworkSubmitter
-	NetworkPassphrase string
-	DisableTxSub      bool
+	Submitter          NetworkSubmitter
+	NetworkPassphrase  string
+	DisableTxSub       bool
+	MaxHTTPRequestSize uint
 	CoreStateGetter
 }
 
@@ -36,12 +36,9 @@ type envelopeInfo struct {
 	parsed    xdr.TransactionEnvelope
 }
 
-func extractEnvelopeInfo(raw string, passphrase string) (envelopeInfo, error) {
+func (handler SubmitTransactionHandler) extractEnvelopeInfo(raw string, passphrase string) (envelopeInfo, error) {
 	result := envelopeInfo{raw: raw}
-	if err := gxdr.ValidateTransactionEnvelope(raw, gxdr.DefaultMaxDepth); err != nil {
-		return result, err
-	}
-	err := xdr.SafeUnmarshalBase64(raw, &result.parsed)
+	err := xdr.SafeUnmarshalBase64WithMaxAllocSize(raw, int(handler.MaxHTTPRequestSize), &result.parsed)
 	if err != nil {
 		return result, err
 	}
@@ -149,7 +146,7 @@ func (handler SubmitTransactionHandler) GetResource(w HeaderWriter, r *http.Requ
 		return nil, err
 	}
 
-	info, err := extractEnvelopeInfo(raw, handler.NetworkPassphrase)
+	info, err := handler.extractEnvelopeInfo(raw, handler.NetworkPassphrase)
 	if err != nil {
 		return nil, &problem.P{
 			Type:   "transaction_malformed",

diff --git a/services/horizon/internal/httpx/router.go b/services/horizon/internal/httpx/router.go
@@ -324,10 +324,11 @@ func (r *Router) addRoutes(config *RouterConfig, rateLimiter *throttled.HTTPRate
 
 	// Transaction submission API
 	r.Method(http.MethodPost, "/transactions", ObjectActionHandler{actions.SubmitTransactionHandler{
-		Submitter:         config.TxSubmitter,
-		NetworkPassphrase: config.NetworkPassphrase,
-		DisableTxSub:      config.DisableTxSub,
-		CoreStateGetter:   config.CoreGetter,
+		MaxHTTPRequestSize: config.MaxHTTPRequestSize,
+		Submitter:          config.TxSubmitter,
+		NetworkPassphrase:  config.NetworkPassphrase,
+		DisableTxSub:       config.DisableTxSub,
+		CoreStateGetter:    config.CoreGetter,
 	}})
 
 	// Network state related endpoints

diff --git a/xdr/main.go b/xdr/main.go
@@ -36,11 +36,11 @@ var OperationTypeToStringMap = operationTypeMap
 
 var LedgerEntryTypeMap = ledgerEntryTypeMap
 
-func safeUnmarshalString(decoder func(reader io.Reader) io.Reader, data string, dest interface{}) error {
+func safeUnmarshalString(decoder func(reader io.Reader) io.Reader, maxAllocSize int, data string, dest interface{}) error {
 	count := &countWriter{}
 	l := len(data)
 
-	_, err := Unmarshal(decoder(io.TeeReader(strings.NewReader(data), count)), dest)
+	_, err := UnmarshalWithMaxAllocSize(decoder(io.TeeReader(strings.NewReader(data), count)), dest, maxAllocSize)
 	if err != nil {
 		return err
 	}
@@ -56,10 +56,17 @@ func safeUnmarshalString(decoder func(reader io.Reader) io.Reader, data string,
 // decoding the xdr into the provided destination. Also ensures that the reader
 // is fully consumed.
 func SafeUnmarshalBase64(data string, dest interface{}) error {
+	return SafeUnmarshalBase64WithMaxAllocSize(data, 0, dest)
+}
+
+// SafeUnmarshalBase64WithMaxAllocSize works just like SafeUnmarshalBase64, except a maximum
+// allocation size is provided.
+func SafeUnmarshalBase64WithMaxAllocSize(data string, maxAllocSize int, dest interface{}) error {
 	return safeUnmarshalString(
 		func(r io.Reader) io.Reader {
 			return base64.NewDecoder(base64.StdEncoding, r)
 		},
+		maxAllocSize,
 		data,
 		dest,
 	)
@@ -69,7 +76,7 @@ func SafeUnmarshalBase64(data string, dest interface{}) error {
 // decoding the xdr into the provided destination. Also ensures that the reader
 // is fully consumed.
 func SafeUnmarshalHex(data string, dest interface{}) error {
-	return safeUnmarshalString(hex.NewDecoder, data, dest)
+	return safeUnmarshalString(hex.NewDecoder, 0, data, dest)
 }
 
 // SafeUnmarshal decodes the provided reader into the destination and verifies
@@ -112,7 +119,7 @@ func NewBytesDecoder() *BytesDecoder {
 
 func (d *BytesDecoder) DecodeBytes(v DecoderFrom, b []byte) (int, error) {
 	d.reader.Reset(b)
-	return v.DecodeFrom(d.decoder, xdr.DecodeDefaultMaxDepth)
+	return v.DecodeFrom(d.decoder, xdr.DecodeDefaultMaxDepth, 0)
 }
 
 func marshalString(encoder func([]byte) string, v interface{}) (string, error) {