-
Notifications
You must be signed in to change notification settings - Fork 501
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
services/horizon: Validate transaction hash IDs as 64 lowecase hex chars #2394
services/horizon: Validate transaction hash IDs as 64 lowecase hex chars #2394
Conversation
Also, sneak in some minor improvements in `handler.go`
80e131a
to
71d2b47
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Nice, it'll be way better to return 400
instead of 404
for these. Some requests regarding the tests below.
@2opremio the
https://github.com/stellar/go/blob/master/services/horizon/internal/web.go#L234-L238 The fix you have implemented only covers the There are two patterns for implementing HTTP handlers in Horizon. The legacy pattern resembles: https://github.com/stellar/go/blob/master/services/horizon/internal/actions_effects.go Unfortunately, all the endpoints which have a Our strategy for migrating endpoints to the actions package has been to implement functions which parse and validate request parameters in https://github.com/stellar/go/blob/master/services/horizon/internal/actions/helpers.go . Those functions can be used by the legacy handlers which are defined outside the actions package. But, eventually we will move the handlers to the actions package so having the validators live in https://github.com/stellar/go/blob/master/services/horizon/internal/actions/helpers.go makes the migration easier. My suggestion is to implement a function to extract the transaction hash from a request in helpers.go . Here is a similar function that you can use as a model https://github.com/stellar/go/blob/master/services/horizon/internal/actions/helpers.go#L379-L396 Then you can call the function in each of the handlers for the endpoints I listed above. |
2c291b5
to
0b29a51
Compare
0b29a51
to
fc9d999
Compare
This is needed since actions try to decode all parameters even if not present
@tamirms Thanks a lot for the comprehensive explanation. I think everything is addressed. PTAL |
7f25614
to
cd6eff2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me!
Fixes #2392
PR Checklist
PR Structure
otherwise).
services/friendbot
, orall
ordoc
if the changes are broad or impact manypackages.
Thoroughness
.md
files, etc... affected by this change). Take a look in the
docs
folder for a given service,like this one.
Release planning
needed with deprecations, added features, breaking changes, and DB schema changes.
semver, or if it's mainly a patch change. The PR is targeted at the next
release branch if it's not a patch change.
What
Validate transaction ID URL parameters as 64 lowercase hexadecimal characters
Why
Injecting 0x00 was causing internal errors. Also, it's more intuitive to receive a bad request error than a not-found error when there is a problem in the format.
Known limitations
Hardcoding the length may not be a good idea if we change the hash format/length.
This requires a minor release, since we change the HTTP error returned for badly-formatted hashes.