container: Check eACL input in setEACL method's implementation (#330)

* relates #329
nspcc-dev · Apr 11, 2023 · cfa470a · cfa470a
2 parents 8df64fe + 288dddc
commit cfa470a
Show file tree

Hide file tree

Showing 2 changed files with 37 additions and 1 deletion.
diff --git a/container/container_contract.go b/container/container_contract.go
@@ -465,7 +465,9 @@ func List(owner []byte) [][]byte {
 // if it was invoked by Alphabet nodes of the Inner Ring. Otherwise, it produces
 // setEACL notification.
 //
-// EACL should be a stable marshaled EACLTable structure from API.
+// EACL should be a stable marshaled EACLTable structure from API. Protocol
+// version and container reference must be set in 'version' and 'container_id'
+// fields respectively.
 // Signature is a RFC6979 signature of the Container.
 // PublicKey contains the public key of the signer.
 // Token is optional and should be a stable marshaled SessionToken structure from
@@ -477,8 +479,15 @@ func SetEACL(eACL []byte, signature interop.Signature, publicKey interop.PublicK
 
 	// V2 format
 	// get container ID
+	lnEACL := len(eACL)
+	if lnEACL < 2 {
+		panic("missing version field in eACL BLOB")
+	}
 	offset := int(eACL[1])
 	offset = 2 + offset + 4
+	if lnEACL < offset+containerIDSize {
+		panic("missing container ID field in eACL BLOB")
+	}
 	containerID := eACL[offset : offset+containerIDSize]
 
 	ownerID := getOwnerByID(ctx, containerID)

diff --git a/tests/container_test.go b/tests/container_test.go
@@ -336,6 +336,33 @@ func TestContainerSetEACL(t *testing.T) {
 		stackitem.NewByteArray(e.token),
 	})
 	c.Invoke(t, expected, "eACL", cnt.id[:])
+
+	replaceEACLArg := func(eACL []byte) []interface{} {
+		res := make([]interface{}, len(setArgs))
+		copy(res, setArgs)
+		res[0] = eACL
+		return res
+	}
+
+	checkInvalidEACL := func(eACL []byte, exception string) {
+		c.InvokeFail(t, exception, "setEACL", replaceEACLArg(eACL)...)
+	}
+
+	const missingVersionException = "missing version field in eACL BLOB"
+	const missingContainerException = "missing container ID field in eACL BLOB"
+
+	checkInvalidEACL([]byte{}, missingVersionException)
+	checkInvalidEACL([]byte{0}, missingVersionException)
+	checkInvalidEACL([]byte{0, 0, 0}, missingContainerException)
+
+	const offset = byte(20) // any
+
+	// first byte can be any since protobuf is not completely decoded
+	prefix := append([]byte{0, offset}, make([]byte, offset+4)...)
+
+	checkInvalidEACL(prefix, missingContainerException)
+	checkInvalidEACL(append(prefix, make([]byte, len(cnt.id)-1)...), missingContainerException)
+	c.Invoke(t, stackitem.Null{}, "setEACL", replaceEACLArg(append(prefix, cnt.id[:]...))...)
 }
 
 func TestContainerSizeEstimation(t *testing.T) {