GOLD-238 fix: sql injection when recordTxStatus feature is on

src/config.ts

@@ -144,7 +144,7 @@ export const CONFIG: Config = {
   },
   aalgWarmup: false,
   aalgWarmupServiceTPS: 10,
-  recordTxStatus: false,
+  recordTxStatus: false, // not safe for production, keep this off. Known issue.
   rateLimit: false,
   rateLimitOption: {
     softReject: true,
@@ -158,7 +158,7 @@ export const CONFIG: Config = {
     releaseFromBlacklistInterval: 12, // remove banned ip from blacklist after 12 hours
     allowedHeavyRequestPerMin: 20, // number of eth_call + tx inject allowed within 60s
   },
-  statLog: false,
+  statLog: false, // not safe for production, keep this off
   passphrase: process.env.PASSPHRASE || 'sha4d3um', // this is to protect debug routes
   secret_key: process.env.SECRET_KEY || 'YsDGSMYHkSBMGD6B4EmD?mFTWG2Wka-Z9b!Jc/CLkrM8eLsBe5abBaTSGeq?6g?P', // this is the private key that rpc server will used to sign jwt token
   adaptiveRejection: true,

src/middlewares/injectIP.ts

@@ -2,7 +2,13 @@ import { CONFIG } from '../config'
 import { NextFunction, Request, Response } from 'express'
 
 const injectIP = (req: Request, res: Response, next: NextFunction): void => {
-  if (req.body.method === 'eth_sendRawTransaction' && CONFIG.recordTxStatus) req.body.params[1000] = req.ip
+  if (req.body.method === 'eth_sendRawTransaction' && CONFIG.recordTxStatus){
+    const regex_str = /^(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])(\.(25[0-5]|2[0-4][0-9]|1[0-9]{2}|[1-9]?[0-9])){3}$/;
+    const regex = new RegExp(regex_str)
+    if (regex.test(req.ip)){
+      req.body.ip = req.ip
+    }
+  }
   next()
   return
 }