Skip to content

Securize ConsensusContext Deserialization#618

Merged
jsolman merged 5 commits intoneo-project:masterfrom
shargon:small-fix
Mar 5, 2019
Merged

Securize ConsensusContext Deserialization#618
jsolman merged 5 commits intoneo-project:masterfrom
shargon:small-fix

Conversation

@shargon
Copy link
Copy Markdown
Member

@shargon shargon commented Mar 4, 2019

No description provided.

@shargon shargon requested review from erikzhang and jsolman March 4, 2019 08:04
jsolman
jsolman reviewed Mar 4, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@jsolman jsolman left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I originally had some safeguards like this; however Erik made the point that it wasn’t necessary for the consensus context, since the consensus context itself is never sent over the network it is only serialized and deserialized locally from the same node. So there should not be any vulnerability by not checking these maximums on deserialization.

@shargon
Copy link
Copy Markdown
Member Author

shargon commented Mar 4, 2019
edited
Loading

This kind of checks is necessary, there is no reason for don't establish a safe maximum, although the process is trustable

@jsolman
Copy link
Copy Markdown
Contributor

jsolman commented Mar 4, 2019

While, I don’t think this fixes any actual security vulnerability in this case, I agree with being defensive on the deserialization and having the safeguards, so I approved. It is a general good practice to always validate input.

igormcoelho
igormcoelho approved these changes Mar 4, 2019
View reviewed changes
Copy link
Copy Markdown
Contributor

@igormcoelho igormcoelho left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree that this should become the standard practice. Although not necessary in this situation, it also helps semantically understanding the maximum limit on each field.

@jsolman jsolman merged commit eb26278 into neo-project:master Mar 5, 2019
@shargon shargon deleted the small-fix branch March 5, 2019 08:32
Thacryba pushed a commit to simplitech/neo that referenced this pull request Feb 17, 2020
@Celia18305
Release 2.9.0 cli (neo-project#614)
5406712 
* 2.9.0

* updates for 2.9.0

* Update v2.9.0.md (neo-project#610)

Adjustment for instruction of getting nep-5 applicationlog.

* Update invokescript.md (neo-project#613)

Add tx

* Update invokefunction.md (neo-project#612)

Add tx for response.

* Create getwalletheight (neo-project#611)

Add getwalletheight api.

* updates for 2.9.0

* minor updates

* Update setup.md (neo-project#617)

Add introduction of Plugins.

* Update v2.9.0.md (neo-project#615)

Add introduction for setting config.json

* final updates

* Update v2.9.0.md (neo-project#618)

Add notes for install plugins.

* plugin related
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@erikzhang erikzhang Awaiting requested review from erikzhang

2 more reviewers

@igormcoelho igormcoelho igormcoelho approved these changes

@jsolman jsolman jsolman approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@shargon @jsolman @igormcoelho