From 6ff495fd9b923c5a07e5aca159ea268d34ac0c9e Mon Sep 17 00:00:00 2001
From: Olek <115580134+oleks-rip@users.noreply.github.com>
Date: Wed, 19 Nov 2025 11:58:18 -0500
Subject: [PATCH 1/3] Fix: Perform array size check (#6030)

The `ledger_entry` and `deposit_preauth` requests require an array of credentials. However, the array size is not checked before is gets processing. This fix adds checks and return errors in case array size is too big.
---
 src/test/rpc/LedgerEntry_test.cpp      |  4 +--
 src/xrpld/rpc/handlers/LedgerEntry.cpp | 34 ++++++++++++++++++--------
 2 files changed, 26 insertions(+), 12 deletions(-)

diff --git a/src/test/rpc/LedgerEntry_test.cpp b/src/test/rpc/LedgerEntry_test.cpp
index fdd3838e89..a0fde0f457 100644
--- a/src/test/rpc/LedgerEntry_test.cpp
+++ b/src/test/rpc/LedgerEntry_test.cpp
@@ -1103,7 +1103,7 @@ class LedgerEntry_test : public beast::unit_test::suite
             checkErrorValue(
                 jrr[jss::result],
                 "malformedAuthorizedCredentials",
-                "Invalid field 'authorized_credentials', not array.");
+                "Invalid field 'authorized_credentials', array empty.");
         }
 
         {
@@ -1144,7 +1144,7 @@ class LedgerEntry_test : public beast::unit_test::suite
             checkErrorValue(
                 jrr[jss::result],
                 "malformedAuthorizedCredentials",
-                "Invalid field 'authorized_credentials', not array.");
+                "Invalid field 'authorized_credentials', array too long.");
         }
     }
 
diff --git a/src/xrpld/rpc/handlers/LedgerEntry.cpp b/src/xrpld/rpc/handlers/LedgerEntry.cpp
index 992c5551c3..bf8a4a5b80 100644
--- a/src/xrpld/rpc/handlers/LedgerEntry.cpp
+++ b/src/xrpld/rpc/handlers/LedgerEntry.cpp
@@ -16,8 +16,6 @@
 #include <xrpl/protocol/STXChainBridge.h>
 #include <xrpl/protocol/jss.h>
 
-#include <functional>
-
 namespace ripple {
 
 static Expected<uint256, Json::Value>
@@ -178,18 +176,41 @@ static Expected<STArray, Json::Value>
 parseAuthorizeCredentials(Json::Value const& jv)
 {
     if (!jv.isArray())
+    {
         return LedgerEntryHelpers::invalidFieldError(
             "malformedAuthorizedCredentials",
             jss::authorized_credentials,
             "array");
-    STArray arr(sfAuthorizeCredentials, jv.size());
+    }
+
+    std::uint32_t const n = jv.size();
+    if (n > maxCredentialsArraySize)
+    {
+        return Unexpected(LedgerEntryHelpers::malformedError(
+            "malformedAuthorizedCredentials",
+            "Invalid field '" + std::string(jss::authorized_credentials) +
+                "', array too long."));
+    }
+
+    if (n == 0)
+    {
+        return Unexpected(LedgerEntryHelpers::malformedError(
+            "malformedAuthorizedCredentials",
+            "Invalid field '" + std::string(jss::authorized_credentials) +
+                "', array empty."));
+    }
+
+    STArray arr(sfAuthorizeCredentials, n);
     for (auto const& jo : jv)
     {
         if (!jo.isObject())
+        {
             return LedgerEntryHelpers::invalidFieldError(
                 "malformedAuthorizedCredentials",
                 jss::authorized_credentials,
                 "array");
+        }
+
         if (auto const value = LedgerEntryHelpers::hasRequired(
                 jo,
                 {jss::issuer, jss::credential_type},
@@ -260,13 +281,6 @@ parseDepositPreauth(Json::Value const& dp, Json::StaticString const fieldName)
     auto const arr = parseAuthorizeCredentials(ac);
     if (!arr.has_value())
         return Unexpected(arr.error());
-    if (arr->empty() || (arr->size() > maxCredentialsArraySize))
-    {
-        return LedgerEntryHelpers::invalidFieldError(
-            "malformedAuthorizedCredentials",
-            jss::authorized_credentials,
-            "array");
-    }
 
     auto const& sorted = credentials::makeSorted(arr.value());
     if (sorted.empty())

From a3d4be4eafce09c8a26fa81489fd59d4fd4a4b97 Mon Sep 17 00:00:00 2001
From: Mayukha Vadari <mvadari@ripple.com>
Date: Thu, 20 Nov 2025 17:07:28 +0530
Subject: [PATCH 2/3] fix: Set correct index for limit in `book_offers` CLI
 (#6043)

This change fixes an indexing typo in the `book_offers` CLI processing, and does not affect the HTTPS/WS RPC processing.
---
 src/test/rpc/RPCCall_test.cpp    | 23 +++++++++++++----------
 src/xrpld/rpc/detail/RPCCall.cpp | 26 +++++++++++++++++++++-----
 2 files changed, 34 insertions(+), 15 deletions(-)

diff --git a/src/test/rpc/RPCCall_test.cpp b/src/test/rpc/RPCCall_test.cpp
index 07129e4bae..7647dc5f65 100644
--- a/src/test/rpc/RPCCall_test.cpp
+++ b/src/test/rpc/RPCCall_test.cpp
@@ -1584,8 +1584,6 @@ static RPCCallTestData const rpcCallTestArray[] = {
          "EUR/rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA",
          "rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA",
          "ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789",
-         "junk",  // Note: indexing bug in parseBookOffers() requires junk
-                  // param.
          "200",
      },
      RPCCallTestData::no_exception,
@@ -1597,7 +1595,6 @@ static RPCCallTestData const rpcCallTestArray[] = {
          "issuer" : "rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA",
          "ledger_hash" : "ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789",
          "limit" : 200,
-         "proof" : true,
          "taker_gets" : {
             "currency" : "EUR",
             "issuer" : "rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA"
@@ -1617,8 +1614,8 @@ static RPCCallTestData const rpcCallTestArray[] = {
       "EUR/rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA",
       "rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA",
       "ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789",
-      "junk",  // Note: indexing bug in parseBookOffers() requires junk param.
       "200",
+      "0",
       "MyMarker"},
      RPCCallTestData::no_exception,
      R"({
@@ -1630,7 +1627,6 @@ static RPCCallTestData const rpcCallTestArray[] = {
          "ledger_hash" : "ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789",
          "limit" : 200,
          "marker" : "MyMarker",
-         "proof" : true,
          "taker_gets" : {
             "currency" : "EUR",
             "issuer" : "rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA"
@@ -1665,8 +1661,8 @@ static RPCCallTestData const rpcCallTestArray[] = {
       "EUR/rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA",
       "rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA",
       "ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789",
-      "junk",  // Note: indexing bug in parseBookOffers() requires junk param.
       "200",
+      "0",
       "MyMarker",
       "extra"},
      RPCCallTestData::no_exception,
@@ -1770,12 +1766,19 @@ static RPCCallTestData const rpcCallTestArray[] = {
          "EUR/rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA",
          "rnUy2SHTrB9DubsPmkJZUXTf5FcNDGrYEA",
          "ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789",
-         "junk",  // Note: indexing bug in parseBookOffers() requires junk
-                  // param.
          "not_a_number",
      },
-     RPCCallTestData::bad_cast,
-     R"()"},
+     RPCCallTestData::no_exception,
+     R"({
+    "method" : "book_offers",
+    "params" : [
+      {
+         "error" : "invalidParams",
+         "error_code" : 31,
+         "error_message" : "Invalid field 'limit'."
+      }
+    ]
+    })"},
 
     // can_delete
     // ------------------------------------------------------------------
diff --git a/src/xrpld/rpc/detail/RPCCall.cpp b/src/xrpld/rpc/detail/RPCCall.cpp
index 915f951749..185043302a 100644
--- a/src/xrpld/rpc/detail/RPCCall.cpp
+++ b/src/xrpld/rpc/detail/RPCCall.cpp
@@ -332,15 +332,31 @@ private:
 
         if (jvParams.size() >= 5)
         {
-            int iLimit = jvParams[5u].asInt();
+            try
+            {
+                int iLimit = jvParams[4u].asInt();
 
-            if (iLimit > 0)
-                jvRequest[jss::limit] = iLimit;
+                if (iLimit > 0)
+                    jvRequest[jss::limit] = iLimit;
+            }
+            catch (std::exception const&)
+            {
+                return RPC::invalid_field_error(jss::limit);
+            }
         }
 
-        if (jvParams.size() >= 6 && jvParams[5u].asInt())
+        if (jvParams.size() >= 6)
         {
-            jvRequest[jss::proof] = true;
+            try
+            {
+                int bProof = jvParams[5u].asInt();
+                if (bProof)
+                    jvRequest[jss::proof] = true;
+            }
+            catch (std::exception const&)
+            {
+                return RPC::invalid_field_error(jss::proof);
+            }
         }
 
         if (jvParams.size() == 7)

From adbeb94c2bd3e90f415eee1776ad52cfa19d48ee Mon Sep 17 00:00:00 2001
From: Ayaz Salikhov <mathbunnyru@users.noreply.github.com>
Date: Thu, 20 Nov 2025 18:09:03 +0000
Subject: [PATCH 3/3] ci: Only upload artifacts in XRPLF repo owner (#6060)

This change prevents uploading too many artifacts in non-public repositories.
---
 .github/workflows/reusable-build-test-config.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/reusable-build-test-config.yml b/.github/workflows/reusable-build-test-config.yml
index 768897f665..8ce810aa2e 100644
--- a/.github/workflows/reusable-build-test-config.yml
+++ b/.github/workflows/reusable-build-test-config.yml
@@ -130,7 +130,7 @@ jobs:
             --target "${CMAKE_TARGET}"
 
       - name: Upload rippled artifact (Linux)
-        if: ${{ runner.os == 'Linux' }}
+        if: ${{ github.repository_owner == 'XRPLF' && runner.os == 'Linux' }}
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         env:
           BUILD_DIR: ${{ inputs.build_dir }}