Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Assumption of JSON Fields from Untrusted Input (GSR-15) #2413

Closed
danforbes opened this issue Mar 21, 2022 · 0 comments · Fixed by #2527
Closed

Assumption of JSON Fields from Untrusted Input (GSR-15) #2413

danforbes opened this issue Mar 21, 2022 · 0 comments · Fixed by #2527
Assignees
@EclesioMeloJunior

Comments

@danforbes
Copy link
Contributor

Websocket RPC messages are unmarshalled from JSON into a map, which should have certain fields.

If the expected fields are not present then nil will be returned. This may lead to unexpected nil pointer exceptions being raised when these pointers are used.

The issue may be resolved by first ensuring each of the required fields are present in the map before accessing them.

var reqid float64
if val, ok := msg["id"]; ok {
	if reqid, ok := val.(float64); !ok {
		// handle error
		return
	}
} else {
	// handle error
	return
}
var method string
if val, ok := msg["method"]; ok {
	if method, ok := val.(string); !ok {
		// handle error
		return
	}
} else {
	// handle error
	return
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EclesioMeloJunior EclesioMeloJunior

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix(dot/subscription): check websocket message from untrusted data ChainSafe/gossamer
2 participants
@danforbes @EclesioMeloJunior