fix: sql injection when recordTxStatus feature is on

shardeum · Sep 3, 2024 · 11e775f · 11e775f
1 parent 7933f76
commit 11e775f
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 3 deletions.
diff --git a/src/config.ts b/src/config.ts
@@ -146,7 +146,7 @@ export const CONFIG: Config = {
   },
   aalgWarmup: false,
   aalgWarmupServiceTPS: 10,
-  recordTxStatus: false,
+  recordTxStatus: false, // not safe for production, keep this off. Known issue.
   rateLimit: false,
   rateLimitOption: {
     softReject: true,
@@ -160,7 +160,7 @@ export const CONFIG: Config = {
     releaseFromBlacklistInterval: 12, // remove banned ip from blacklist after 12 hours
     allowedHeavyRequestPerMin: 20, // number of eth_call + tx inject allowed within 60s
   },
-  statLog: false,
+  statLog: false, // not safe for production, keep this off
   passphrase: process.env.PASSPHRASE || 'sha4d3um', // this is to protect debug routes
   secret_key: process.env.SECRET_KEY || 'YsDGSMYHkSBMGD6B4EmD?mFTWG2Wka-Z9b!Jc/CLkrM8eLsBe5abBaTSGeq?6g?P', // this is the private key that rpc server will used to sign jwt token
   adaptiveRejection: true,

diff --git a/src/middlewares/injectIP.ts b/src/middlewares/injectIP.ts
@@ -2,7 +2,14 @@ import { CONFIG } from '../config'
 import { NextFunction, Request, Response } from 'express'
 
 const injectIP = (req: Request, res: Response, next: NextFunction): void => {
-  if (req.body.method === 'eth_sendRawTransaction' && CONFIG.recordTxStatus) req.body.params[1000] = req.ip
+  if (req.body.method === 'eth_sendRawTransaction' && CONFIG.recordTxStatus){
+    // prevents sql injection
+    const regex_str = "^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"
+    const regex = new RegExp(regex_str)
+    if (regex.test(req.ip)){
+      req.body.ip = req.ip
+    }
+  }
   next()
   return
 }