Skip to content

Place access list deserialization guards #9466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
LukaszRozmej merged 6 commits into from
Oct 15, 2025
Merged

Place access list deserialization guards #9466

LukaszRozmej merged 6 commits into from
Oct 15, 2025

Conversation

@LukaszRozmej
Copy link
Member

@LukaszRozmej LukaszRozmej commented Oct 14, 2025
edited
Loading

Changes

  • Custom AccessListForRpc deserialization
  • Guards memory usage when spammed with huge request to eth_sendTransaction

Types of changes

What types of changes does your code introduce?

  • Other: input parsing hardening

Testing

Requires testing

  • Yes

If yes, did you write tests?

  • No

Notes on testing

Existing tests should cover it.

Documentation

Requires documentation update

  • No

Requires explanation in Release Notes

  • No

@LukaszRozmej LukaszRozmej marked this pull request as ready for review October 14, 2025 18:27
@benaadams benaadams requested a review from Copilot October 15, 2025 03:46
benaadams
benaadams approved these changes Oct 15, 2025
View reviewed changes
Copy link
Member

@benaadams benaadams left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests?

Copilot AI reviewed Oct 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds security hardening to the AccessListForRpc deserialization to prevent memory exhaustion attacks when processing large or malicious requests to eth_sendTransaction. The implementation replaces automatic JSON deserialization with manual parsing that enforces strict limits on the number of access list items and storage keys.

Key Changes:

  • Implemented custom JSON deserialization with memory usage guards
  • Added configurable limits: max 1000 items per access list, max 1000 storage keys per item, max 10000 total storage keys
  • Enhanced input validation with explicit checks for expected JSON token types

src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs Outdated
else if (reader.TokenType == JsonTokenType.StartArray)
{
storageKeys = new List<UInt256>();
int keyCount = 0;
Copy link

Copilot AI Oct 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[nitpick] The variable keyCount tracks storage keys per item while storageItemsCount tracks total storage keys across all items. Consider renaming keyCount to itemStorageKeyCount or keysInCurrentItem to clarify the distinction and improve code readability.

Copilot uses AI. Check for mistakes.
@benaadams
Copy link
Member

benaadams commented Oct 15, 2025
edited
Loading

Existing tests should cover it.

Shouldn't they be failing now if they covered? Since you are throwing new exceptions

@LukaszRozmej
Copy link
Member Author

LukaszRozmej commented Oct 15, 2025
edited
Loading

Tests?

There are standard tests for this endpoint, they still work (and helped me to fix a bug).

I generated base for this code with ChatGPT and didn't have to do much changes, so AI:

1hhv9m

@LukaszRozmej LukaszRozmej merged commit 6e50860 into master Oct 15, 2025
141 of 143 checks passed
@LukaszRozmej LukaszRozmej deleted the fix/acess-list-deserialization branch October 15, 2025 08:33
stdevMac pushed a commit that referenced this pull request Oct 30, 2025
@LukaszRozmej @stdevMac
Place access list deserialization guards (#9466)
4180836 
* Place access list deserialization guards

* refactor

* fix property casing

* Update src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs

Co-authored-by: Copilot <[email protected]>

* Update src/Nethermind/Nethermind.Facade/Eth/RpcTransaction/AccessListForRpc.cs

Co-authored-by: Copilot <[email protected]>

* rename

---------

Co-authored-by: Copilot <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@benaadams benaadams benaadams approved these changes

@emlautarom1 emlautarom1 Awaiting requested review from emlautarom1

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@LukaszRozmej @benaadams