Skip to content

Place access list deserialization guards#9466

Merged
LukaszRozmej merged 6 commits into
masterfrom
fix/acess-list-deserialization
Oct 15, 2025
Merged

Place access list deserialization guards#9466
LukaszRozmej merged 6 commits into
masterfrom
fix/acess-list-deserialization

Conversation

@LukaszRozmej

@LukaszRozmej LukaszRozmej commented Oct 14, 2025
edited
Loading

Copy link
Copy Markdown
Member

Changes

  • Custom AccessListForRpc deserialization
  • Guards memory usage when spammed with huge request to eth_sendTransaction

Types of changes

What types of changes does your code introduce?

  • Other: input parsing hardening

Testing

Requires testing

  • Yes

If yes, did you write tests?

  • No

Notes on testing

Existing tests should cover it.

Documentation

Requires documentation update

  • No

Requires explanation in Release Notes

  • No

@LukaszRozmej LukaszRozmej marked this pull request as ready for review October 14, 2025 18:27
@benaadams benaadams requested a review from Copilot October 15, 2025 03:46
benaadams
benaadams approved these changes Oct 15, 2025
View reviewed changes

@benaadams benaadams left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests?

Copilot AI reviewed Oct 15, 2025
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds security hardening to the AccessListForRpc deserialization to prevent memory exhaustion attacks when processing large or malicious requests to eth_sendTransaction. The implementation replaces automatic JSON deserialization with manual parsing that enforces strict limits on the number of access list items and storage keys.

Key Changes:

  • Implemented custom JSON deserialization with memory usage guards
  • Added configurable limits: max 1000 items per access list, max 1000 storage keys per item, max 10000 total storage keys
  • Enhanced input validation with explicit checks for expected JSON token types

Comment thread src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs
Comment thread src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs Outdated
Comment thread src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs Outdated
Comment thread src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs Outdated
else if (reader.TokenType == JsonTokenType.StartArray)
{
storageKeys = new List<UInt256>();
int keyCount = 0;

Copilot AI Oct 15, 2025

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The variable keyCount tracks storage keys per item while storageItemsCount tracks total storage keys across all items. Consider renaming keyCount to itemStorageKeyCount or keysInCurrentItem to clarify the distinction and improve code readability.

Copilot uses AI. Check for mistakes.
Comment thread src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs
@benaadams

benaadams commented Oct 15, 2025
edited
Loading

Copy link
Copy Markdown
Member

Existing tests should cover it.

Shouldn't they be failing now if they covered? Since you are throwing new exceptions

@LukaszRozmej

LukaszRozmej commented Oct 15, 2025
edited
Loading

Copy link
Copy Markdown
Member Author

Tests?

There are standard tests for this endpoint, they still work (and helped me to fix a bug).

I generated base for this code with ChatGPT and didn't have to do much changes, so AI:

1hhv9m

LukaszRozmej and others added 3 commits October 15, 2025 08:34
@LukaszRozmej
Update src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessList…
ce2c263 
…ForRpc.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@LukaszRozmej
Update src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessList…
c9ea0c0 
…ForRpc.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@LukaszRozmej
rename
261c214
@LukaszRozmej LukaszRozmej merged commit 6e50860 into master Oct 15, 2025
141 of 143 checks passed
@LukaszRozmej LukaszRozmej deleted the fix/acess-list-deserialization branch October 15, 2025 08:33
stdevMac pushed a commit that referenced this pull request Oct 30, 2025
@LukaszRozmej @stdevMac
Place access list deserialization guards (#9466)
4180836 
* Place access list deserialization guards

* refactor

* fix property casing

* Update src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Update src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* rename

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@benaadams benaadams benaadams approved these changes

@emlautarom1 emlautarom1 Awaiting requested review from emlautarom1

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LukaszRozmej @benaadams