Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PRI-106 - fix: sql injection by parsing to number #52

Merged
merged 2 commits into from
Sep 5, 2024
Merged

PRI-106 - fix: sql injection by parsing to number #52

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
39b08ca
fix: sql injection when recordTxStatus feature is on
kgmyatthu Sep 3, 2024
6263243
fix: sql injection by parsing to number
kgmyatthu Aug 22, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ export const CONFIG: Config = {
},
aalgWarmup: false,
aalgWarmupServiceTPS: 10,
recordTxStatus: false,
recordTxStatus: false, // not safe for production, keep this off. Known issue.
rateLimit: false,
rateLimitOption: {
softReject: true,
Expand All @@ -158,7 +158,7 @@ export const CONFIG: Config = {
releaseFromBlacklistInterval: 12, // remove banned ip from blacklist after 12 hours
allowedHeavyRequestPerMin: 20, // number of eth_call + tx inject allowed within 60s
},
statLog: false,
statLog: false, // not safe for production, keep this off
passphrase: process.env.PASSPHRASE || 'sha4d3um', // this is to protect debug routes
secret_key: process.env.SECRET_KEY || 'YsDGSMYHkSBMGD6B4EmD?mFTWG2Wka-Z9b!Jc/CLkrM8eLsBe5abBaTSGeq?6g?P', // this is the private key that rpc server will used to sign jwt token
adaptiveRejection: true,
Expand Down
8 changes: 7 additions & 1 deletion src/middlewares/injectIP.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,13 @@ import { CONFIG } from '../config'
import { NextFunction, Request, Response } from 'express'

const injectIP = (req: Request, res: Response, next: NextFunction): void => {
if (req.body.method === 'eth_sendRawTransaction' && CONFIG.recordTxStatus) req.body.params[1000] = req.ip
if (req.body.method === 'eth_sendRawTransaction' && CONFIG.recordTxStatus){
const regex_str = /^(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}$/;
const regex = new RegExp(regex_str)
if (regex.test(req.ip)){
req.body.ip = req.ip
}
}
next()
return
}
Expand Down
4 changes: 2 additions & 2 deletions src/routes/log.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -121,8 +121,8 @@ const prepareSQLFilters = ({
}
router.route('/api-stats').get(async (req: CustomRequest, res: Response) => {
try {
const page = req.query.page || 0
const max = req.query.max || 5000
const page = Number(req.query.page) || 0
kgmyatthu marked this conversation as resolved.
Show resolved Hide resolved
const max = Number(req.query.max) || 5000
const cursor: number = page * max

const start = req.query.start ? timeInputProcessor(req.query.start as string) : null
Expand Down
Loading