Validate the tx_json field in sign_for (RIPD-1100)

2025-11-20 02:55:50 +00:00 · 2016-03-31 00:26:40 -07:00
parent 73e48e6595
commit 06bfcad671
2 changed files with 48 additions and 2 deletions
--- a/src/ripple/rpc/impl/TransactionSign.cpp
+++ b/src/ripple/rpc/impl/TransactionSign.cpp
@@ -785,6 +785,9 @@ static Json::Value checkMultiSignFields (Json::Value const& jvRequest)

    Json::Value const& tx_json (jvRequest [jss::tx_json]);

+    if (!tx_json.isObject())
+        return RPC::invalid_field_message (jss::tx_json);
+
    // There are a couple of additional fields we need to check before
    // we serialize.  If we serialize first then we generate less useful
    //error messages.
@@ -878,13 +881,17 @@ Json::Value transactionSignFor (
            RPC::invalid_field_message (accountField));
    }

-    // If the tx_json.SigningPubKey field is missing, insert an empty one.
-    // RIPD-1036.
   if (! jvRequest.isMember (jss::tx_json))
        return RPC::missing_field_error (jss::tx_json);

    {
        Json::Value& tx_json (jvRequest [jss::tx_json]);
+
+        if (!tx_json.isObject())
+            return RPC::object_field_error (jss::tx_json);
+
+        // If the tx_json.SigningPubKey field is missing,
+        // insert an empty one.
        if (!tx_json.isMember (sfSigningPubKey.getJsonName()))
            tx_json[sfSigningPubKey.getJsonName()] = "";
    }
--- a/src/ripple/rpc/tests/JSONRPC.test.cpp
+++ b/src/ripple/rpc/tests/JSONRPC.test.cpp
@@ -1112,6 +1112,45 @@ R"({
 "Missing field 'tx_json.TransactionType'.",
 "Missing field 'tx_json.TransactionType'."}},

+{ "Invalid field 'tx_json': string instead of object",
+R"({
+    "command": "doesnt_matter",
+    "account": "rHb9CJAWyB4rj91VRWn96DkukG4bwdtyTh",
+    "secret": "masterpassphrase",
+    "tx_json": ""
+})",
+{
+"Invalid field 'tx_json', not object.",
+"Invalid field 'tx_json', not object.",
+"Invalid field 'tx_json', not object.",
+"Invalid field 'tx_json', not object."}},
+
+{ "Invalid field 'tx_json': integer instead of object",
+R"({
+    "command": "doesnt_matter",
+    "account": "rHb9CJAWyB4rj91VRWn96DkukG4bwdtyTh",
+    "secret": "masterpassphrase",
+    "tx_json": 20160331
+})",
+{
+"Invalid field 'tx_json', not object.",
+"Invalid field 'tx_json', not object.",
+"Invalid field 'tx_json', not object.",
+"Invalid field 'tx_json', not object."}},
+
+{ "Invalid field 'tx_json': array instead of object",
+R"({
+    "command": "doesnt_matter",
+    "account": "rHb9CJAWyB4rj91VRWn96DkukG4bwdtyTh",
+    "secret": "masterpassphrase",
+    "tx_json": [ "hello", "world" ]
+})",
+{
+"Invalid field 'tx_json', not object.",
+"Invalid field 'tx_json', not object.",
+"Invalid field 'tx_json', not object.",
+"Invalid field 'tx_json', not object."}},
+
 { "Minimal submit_multisigned.",
 R"({
    "command": "submit_multisigned",