SHARD-56: add better security for limit/offset query params (#95)

* add better security for limit/offset query params * fix: prefix logs with method name
shardeum · Oct 30, 2024 · ffe8027 · ffe8027
1 parent dcd2e8a
commit ffe8027
Show file tree

Hide file tree

Showing 6 changed files with 53 additions and 2 deletions.
diff --git a/src/Data/AccountDataProvider.ts b/src/Data/AccountDataProvider.ts
@@ -198,9 +198,11 @@ export const provideAccountDataRequest = async (
   // AND accountId <= "${accountEnd}" AND accountId >= "${accountStart}"
   // ORDER BY timestamp, accountId  LIMIT ${maxRecords}`
 
+  const safeSkip = Number.isInteger(offset) ? offset : 0
+  const safeLimit = Number.isInteger(maxRecords) ? maxRecords : 100
   const sqlPrefix = `SELECT * FROM accounts WHERE `
-  const queryString = `accountId BETWEEN ? AND ? AND timestamp BETWEEN ? AND ? ORDER BY timestamp ASC, accountId ASC LIMIT ${maxRecords}`
-  const offsetCondition = ` OFFSET ${offset}`
+  const queryString = `accountId BETWEEN ? AND ? AND timestamp BETWEEN ? AND ? ORDER BY timestamp ASC, accountId ASC LIMIT ${safeLimit}`
+  const offsetCondition = ` OFFSET ${safeSkip}`
   let sql = sqlPrefix
   let values = []
   if (accountOffset) {
@@ -263,6 +265,7 @@ export const provideAccountDataByListRequest = async (
 ): Promise<WrappedStateArray> => {
   const { accountIds } = payload
   const wrappedAccounts: WrappedStateArray = []
+  // todo: does this even work right now?
   const sql = `SELECT * FROM accounts WHERE accountId IN (?)`
   const accounts = await Account.fetchAccountsBySqlQuery(sql, accountIds)
   for (const account of accounts) {

diff --git a/src/dbstore/accounts.ts b/src/dbstore/accounts.ts
@@ -90,6 +90,10 @@ export async function queryAccountByAccountId(accountId: string): Promise<Accoun
 }
 
 export async function queryLatestAccounts(count: number): Promise<AccountsCopy[] | null> {
+  if (!Number.isInteger(count)) {
+    Logger.mainLogger.error('queryLatestAccounts - Invalid count value')
+    return null
+  }
   try {
     const sql = `SELECT * FROM accounts ORDER BY cycleNumber DESC, timestamp DESC LIMIT ${
       count ? count : 100
@@ -114,6 +118,10 @@ export async function queryLatestAccounts(count: number): Promise<AccountsCopy[]
 export async function queryAccounts(skip = 0, limit = 10000): Promise<AccountsCopy[]> {
   let dbAccounts: DbAccountCopy[]
   const accounts: AccountsCopy[] = []
+  if (!Number.isInteger(skip) || !Number.isInteger(limit)) {
+    Logger.mainLogger.error('queryAccounts - Invalid skip or limit value')
+    return accounts
+  }
   try {
     const sql = `SELECT * FROM accounts ORDER BY cycleNumber ASC, timestamp ASC LIMIT ${limit} OFFSET ${skip}`
     dbAccounts = (await db.all(accountDatabase, sql)) as DbAccountCopy[]
@@ -174,6 +182,10 @@ export async function queryAccountsBetweenCycles(
 ): Promise<AccountsCopy[]> {
   let dbAccounts: DbAccountCopy[]
   const accounts: AccountsCopy[] = []
+  if (!Number.isInteger(skip) || !Number.isInteger(limit)) {
+    Logger.mainLogger.error('queryAccountsBetweenCycles - Invalid skip or limit value')
+    return accounts
+  }
   try {
     const sql = `SELECT * FROM accounts WHERE cycleNumber BETWEEN ? AND ? ORDER BY cycleNumber ASC, timestamp ASC LIMIT ${limit} OFFSET ${skip}`
     dbAccounts = (await db.all(accountDatabase, sql, [startCycleNumber, endCycleNumber])) as DbAccountCopy[]

diff --git a/src/dbstore/cycles.ts b/src/dbstore/cycles.ts
@@ -81,6 +81,10 @@ export async function queryCycleByMarker(marker: string): Promise<Cycle> {
 }
 
 export async function queryLatestCycleRecords(count: number): Promise<P2P.CycleCreatorTypes.CycleData[]> {
+  if (!Number.isInteger(count)) {
+    Logger.mainLogger.error('queryLatestCycleRecords - Invalid count value')
+    return []
+  }
   try {
     const sql = `SELECT * FROM cycles ORDER BY counter DESC LIMIT ${count ? count : 100}`
     const dbCycles = (await db.all(cycleDatabase, sql)) as DbCycle[]

diff --git a/src/dbstore/originalTxsData.ts b/src/dbstore/originalTxsData.ts
@@ -90,6 +90,10 @@ export async function queryOriginalTxsData(
   endCycle?: number
 ): Promise<OriginalTxData[]> {
   let originalTxsData: DbOriginalTxData[] = []
+  if (!Number.isInteger(skip) || !Number.isInteger(limit)) {
+    Logger.mainLogger.error('queryOriginalTxsData - Invalid skip or limit')
+    return originalTxsData
+  }
   try {
     let sql = `SELECT * FROM originalTxsData`
     const sqlSuffix = ` ORDER BY cycle ASC, timestamp ASC LIMIT ${limit} OFFSET ${skip}`
@@ -166,6 +170,10 @@ export async function queryOriginalTxDataCountByCycles(
 }
 
 export async function queryLatestOriginalTxs(count: number): Promise<OriginalTxData[]> {
+  if (!Number.isInteger(count)) {
+    Logger.mainLogger.error('queryLatestOriginalTxs - Invalid count value')
+    return null
+  }
   try {
     const sql = `SELECT * FROM originalTxsData ORDER BY cycle DESC, timestamp DESC LIMIT ${
       count ? count : 100

diff --git a/src/dbstore/receipts.ts b/src/dbstore/receipts.ts
@@ -159,6 +159,10 @@ export async function queryReceiptByReceiptId(receiptId: string, timestamp = 0):
 }
 
 export async function queryLatestReceipts(count: number): Promise<Receipt[]> {
+  if (!Number.isInteger(count)) {
+    Logger.mainLogger.error('queryLatestReceipts - Invalid count value')
+    return null
+  }
   try {
     const sql = `SELECT * FROM receipts ORDER BY cycle DESC, timestamp DESC LIMIT ${count ? count : 100}`
     const receipts = (await db.all(receiptDatabase, sql)) as DbReceipt[]
@@ -179,6 +183,10 @@ export async function queryLatestReceipts(count: number): Promise<Receipt[]> {
 
 export async function queryReceipts(skip = 0, limit = 10000): Promise<Receipt[]> {
   let receipts: Receipt[] = []
+  if (!Number.isInteger(skip) || !Number.isInteger(limit)) {
+    Logger.mainLogger.error('queryReceipts - Invalid skip or limit')
+    return receipts
+  }
   try {
     const sql = `SELECT * FROM receipts ORDER BY cycle ASC, timestamp ASC LIMIT ${limit} OFFSET ${skip}`
     receipts = (await db.all(receiptDatabase, sql)) as DbReceipt[]
@@ -261,6 +269,10 @@ export async function queryReceiptsBetweenCycles(
   endCycleNumber: number
 ): Promise<Receipt[]> {
   let receipts: Receipt[] = []
+  if (!Number.isInteger(skip) || !Number.isInteger(limit)) {
+    Logger.mainLogger.error('queryReceiptsBetweenCycles - Invalid skip or limit')
+    return receipts
+  }
   try {
     const sql = `SELECT * FROM receipts WHERE cycle BETWEEN ? AND ? ORDER BY cycle ASC, timestamp ASC LIMIT ${limit} OFFSET ${skip}`
     receipts = (await db.all(receiptDatabase, sql, [startCycleNumber, endCycleNumber])) as DbReceipt[]

diff --git a/src/dbstore/transactions.ts b/src/dbstore/transactions.ts
@@ -99,6 +99,10 @@ export async function queryTransactionByAccountId(accountId: string): Promise<Tr
 }
 
 export async function queryLatestTransactions(count: number): Promise<Transaction[]> {
+  if (!Number.isInteger(count)) {
+    Logger.mainLogger.error('queryLatestTransactions - Invalid count value')
+    return null
+  }
   try {
     const sql = `SELECT * FROM transactions ORDER BY cycleNumber DESC, timestamp DESC LIMIT ${
       count ? count : 100
@@ -123,6 +127,10 @@ export async function queryLatestTransactions(count: number): Promise<Transactio
 
 export async function queryTransactions(skip = 0, limit = 10000): Promise<Transaction[]> {
   let transactions
+  if (!Number.isInteger(skip) || !Number.isInteger(limit)) {
+    Logger.mainLogger.error('queryTransactions - Invalid skip or limit')
+    return null
+  }
   try {
     const sql = `SELECT * FROM transactions ORDER BY cycleNumber ASC, timestamp ASC LIMIT ${limit} OFFSET ${skip}`
     transactions = (await db.all(transactionDatabase, sql)) as DbTransaction[] // TODO: confirm structure of object from db
@@ -189,6 +197,10 @@ export async function queryTransactionsBetweenCycles(
   endCycleNumber: number
 ): Promise<Transaction[]> {
   let transactions
+  if (!Number.isInteger(skip) || !Number.isInteger(limit)) {
+    Logger.mainLogger.error('queryTransactionsBetweenCycles - Invalid skip or limit value')
+    return null
+  }
   try {
     const sql = `SELECT * FROM transactions WHERE cycleNumber BETWEEN ? AND ? ORDER BY cycleNumber ASC, timestamp ASC LIMIT ${limit} OFFSET ${skip}`
     transactions = (await db.all(transactionDatabase, sql, [