Fix: Perform array size check (#6030)

The `ledger_entry` and `deposit_preauth` requests require an array of credentials. However, the array size is not checked before is gets processing. This fix adds checks and return errors in case array size is too big.
2026-04-29 15:37:57 +00:00 · 2025-11-19 11:58:18 -05:00
parent b46a9818e5
commit b8577bd7b8
2 changed files with 26 additions and 12 deletions
--- a/src/test/rpc/LedgerEntry_test.cpp
+++ b/src/test/rpc/LedgerEntry_test.cpp
@@ -1122,7 +1122,7 @@ class LedgerEntry_test : public beast::unit_test::suite
            checkErrorValue(
                jrr[jss::result],
                "malformedAuthorizedCredentials",
-                "Invalid field 'authorized_credentials', not array.");
+                "Invalid field 'authorized_credentials', array empty.");
        }

        {
@@ -1163,7 +1163,7 @@ class LedgerEntry_test : public beast::unit_test::suite
            checkErrorValue(
                jrr[jss::result],
                "malformedAuthorizedCredentials",
-                "Invalid field 'authorized_credentials', not array.");
+                "Invalid field 'authorized_credentials', array too long.");
        }
    }

--- a/src/xrpld/rpc/handlers/LedgerEntry.cpp
+++ b/src/xrpld/rpc/handlers/LedgerEntry.cpp
@@ -35,8 +35,6 @@
 #include <xrpl/protocol/STXChainBridge.h>
 #include <xrpl/protocol/jss.h>

-#include <functional>
-
 namespace ripple {

 static Expected<uint256, Json::Value>
@@ -197,18 +195,41 @@ static Expected<STArray, Json::Value>
 parseAuthorizeCredentials(Json::Value const& jv)
 {
    if (!jv.isArray())
+    {
        return LedgerEntryHelpers::invalidFieldError(
            "malformedAuthorizedCredentials",
            jss::authorized_credentials,
            "array");
-    STArray arr(sfAuthorizeCredentials, jv.size());
+    }
+
+    std::uint32_t const n = jv.size();
+    if (n > maxCredentialsArraySize)
+    {
+        return Unexpected(LedgerEntryHelpers::malformedError(
+            "malformedAuthorizedCredentials",
+            "Invalid field '" + std::string(jss::authorized_credentials) +
+                "', array too long."));
+    }
+
+    if (n == 0)
+    {
+        return Unexpected(LedgerEntryHelpers::malformedError(
+            "malformedAuthorizedCredentials",
+            "Invalid field '" + std::string(jss::authorized_credentials) +
+                "', array empty."));
+    }
+
+    STArray arr(sfAuthorizeCredentials, n);
    for (auto const& jo : jv)
    {
        if (!jo.isObject())
+        {
            return LedgerEntryHelpers::invalidFieldError(
                "malformedAuthorizedCredentials",
                jss::authorized_credentials,
                "array");
+        }
+
        if (auto const value = LedgerEntryHelpers::hasRequired(
                jo,
                {jss::issuer, jss::credential_type},
@@ -279,13 +300,6 @@ parseDepositPreauth(Json::Value const& dp, Json::StaticString const fieldName)
    auto const arr = parseAuthorizeCredentials(ac);
    if (!arr.has_value())
        return Unexpected(arr.error());
-    if (arr->empty() || (arr->size() > maxCredentialsArraySize))
-    {
-        return LedgerEntryHelpers::invalidFieldError(
-            "malformedAuthorizedCredentials",
-            jss::authorized_credentials,
-            "array");
-    }

    auto const& sorted = credentials::makeSorted(arr.value());
    if (sorted.empty())