Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

rest: Reject truncated hex txid early in getutxos parsing #30482

Merged
merged 7 commits into from
Jul 25, 2024
+98 −82
Merged

rest: Reject truncated hex txid early in getutxos parsing #30482

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
fafe4b8
test: refactor: Replace SetHex with uint256 constructor directly
Jul 18, 2024
fa103db
scripted-diff: Rename SetHex to SetHexDeprecated
Jul 18, 2024
fad2991
refactor: Implement strict uint256::FromHex()
Jul 18, 2024
fab6ddb
refactor: Expose FromHex in transaction_identifier
Jul 19, 2024
fa90777
rest: Reject truncated hex txid early in getutxos parsing
Jul 19, 2024
fa7b57e
refactor: Replace ParseHashStr with FromHex
Jul 18, 2024
fac0c3d
doc: Add release notes for two pull requests
Jul 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
rest: Reject truncated hex txid early in getutxos parsing
  • Loading branch information
MarcoFalke committed Jul 24, 2024
commit fa9077724507faad207f29509a8202fc6ac9d502
5 changes: 3 additions & 2 deletions src/rest.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -792,13 +792,14 @@ static bool rest_getutxos(const std::any& context, HTTPRequest* req, const std::
if (txid_out.size() != 2) {
return RESTERR(req, HTTP_BAD_REQUEST, "Parse error");
}
auto txid{Txid::FromHex(txid_out.at(0))};
auto output{ToIntegral<uint32_t>(txid_out.at(1))};

if (!output || !IsHex(txid_out.at(0))) {
if (!txid || !output) {
maflcko marked this conversation as resolved.
Show resolved Hide resolved
return RESTERR(req, HTTP_BAD_REQUEST, "Parse error");
maflcko marked this conversation as resolved.
Show resolved Hide resolved
}

vOutPoints.emplace_back(TxidFromString(txid_out.at(0)), *output);
vOutPoints.emplace_back(*txid, *output);
}

if (vOutPoints.size() > 0)
Expand Down
2 changes: 2 additions & 0 deletions test/functional/interface_rest.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,8 @@ def run_test(self):
self.test_rest_request(f"/getutxos/{spending[0]}_+1", ret_type=RetType.OBJ, status=400)
self.test_rest_request(f"/getutxos/{spending[0]}-+1", ret_type=RetType.OBJ, status=400)
self.test_rest_request(f"/getutxos/{spending[0]}--1", ret_type=RetType.OBJ, status=400)
self.test_rest_request(f"/getutxos/{spending[0]}aa-1234", ret_type=RetType.OBJ, status=400)
self.test_rest_request(f"/getutxos/aa-1234", ret_type=RetType.OBJ, status=400)

# Test limits
long_uri = '/'.join([f"{txid}-{n_}" for n_ in range(20)])
Expand Down