From 39b08cab80b54470bd8d93b6aee112c5fd821cd5 Mon Sep 17 00:00:00 2001
From: Kaung Myat Thu <2962000kaungmyatthu@gmail.com>
Date: Wed, 4 Sep 2024 00:10:34 +0700
Subject: [PATCH 1/2] fix: sql injection when recordTxStatus feature is on

fix: broken regex enclosed in double quotes
---
 src/config.ts               | 4 ++--
 src/middlewares/injectIP.ts | 8 +++++++-
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/src/config.ts b/src/config.ts
index a8c6f828..8b0c6ca7 100644
--- a/src/config.ts
+++ b/src/config.ts
@@ -144,7 +144,7 @@ export const CONFIG: Config = {
   },
   aalgWarmup: false,
   aalgWarmupServiceTPS: 10,
-  recordTxStatus: false,
+  recordTxStatus: false, // not safe for production, keep this off. Known issue.
   rateLimit: false,
   rateLimitOption: {
     softReject: true,
@@ -158,7 +158,7 @@ export const CONFIG: Config = {
     releaseFromBlacklistInterval: 12, // remove banned ip from blacklist after 12 hours
     allowedHeavyRequestPerMin: 20, // number of eth_call + tx inject allowed within 60s
   },
-  statLog: false,
+  statLog: false, // not safe for production, keep this off
   passphrase: process.env.PASSPHRASE || 'sha4d3um', // this is to protect debug routes
   secret_key: process.env.SECRET_KEY || 'YsDGSMYHkSBMGD6B4EmD?mFTWG2Wka-Z9b!Jc/CLkrM8eLsBe5abBaTSGeq?6g?P', // this is the private key that rpc server will used to sign jwt token
   adaptiveRejection: true,
diff --git a/src/middlewares/injectIP.ts b/src/middlewares/injectIP.ts
index 9478f8fd..126c802c 100644
--- a/src/middlewares/injectIP.ts
+++ b/src/middlewares/injectIP.ts
@@ -2,7 +2,13 @@ import { CONFIG } from '../config'
 import { NextFunction, Request, Response } from 'express'
 
 const injectIP = (req: Request, res: Response, next: NextFunction): void => {
-  if (req.body.method === 'eth_sendRawTransaction' && CONFIG.recordTxStatus) req.body.params[1000] = req.ip
+  if (req.body.method === 'eth_sendRawTransaction' && CONFIG.recordTxStatus){
+    const regex_str = /^(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}$/;
+    const regex = new RegExp(regex_str)
+    if (regex.test(req.ip)){
+      req.body.ip = req.ip
+    }
+  }
   next()
   return
 }

From 62632434b0a52a05d0f57365dc9b5683fa660746 Mon Sep 17 00:00:00 2001
From: Kaung Myat Thu <2962000kaungmyatthu@gmail.com>
Date: Thu, 22 Aug 2024 17:42:51 +0700
Subject: [PATCH 2/2] fix: sql injection by parsing to number

---
 src/routes/log.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/routes/log.ts b/src/routes/log.ts
index 1ae31abc..a5f652d0 100644
--- a/src/routes/log.ts
+++ b/src/routes/log.ts
@@ -121,8 +121,8 @@ const prepareSQLFilters = ({
 }
 router.route('/api-stats').get(async (req: CustomRequest, res: Response) => {
   try {
-    const page = req.query.page || 0
-    const max = req.query.max || 5000
+    const page = Number(req.query.page) || 0
+    const max = Number(req.query.max) || 5000
     const cursor: number = page * max
 
     const start = req.query.start ? timeInputProcessor(req.query.start as string) : null