Validate inputs to JSON RPC interface #1819
Labels
A-security
Area: Relates to security. Something is insecure.
Comments
This was referenced Aug 25, 2023
spalladino
added a commit
that referenced
this issue
Aug 28, 2023
… name (#1820) Prevents from accidentally passing an unregistered class in the autogenerated JSON RPC client and server. Picks the converter to use for serialisation based on constructor name if function equality match fails (since constructor name match may fail in minimised browser bundles). We were bit by this when the `PrivateKey` class was registered in the client, but due to a duplicated module, the `PrivateKey` class registered was not the same as the one passed as an argument. This caused the object not to be properly serialised, which due to #1819 was not picked up on the server side, and caused all sort of issues. Fixes #1826 --------- Co-authored-by: spypsy <[email protected]>
|
Superseded by #9455 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The JSON RPC server used for exposing an instance of the Aztec RPC Server over HTTP does not validate inputs. Any error in or incompatibility with the client will cause unexpected errors. We should enforce strict validations on the API level.
As an example, an improperly encoded
PrivateKeyobject sent from the CLI resulted inUnknown complete address for addresswhen creating an account, since the generation of the address based off the private key was broken (more details in this Slack thread).The text was updated successfully, but these errors were encountered: