Strict input validation against expected schema (RIPD-1709, RIPD-1710)

2025-12-06 17:27:52 +00:00 · 2018-12-20 13:27:23 -06:00
parent 1be8094ee2
commit ba9ca1378e
1 changed files with 29 additions and 1 deletions
--- a/src/ripple/rpc/impl/ServerHandlerImp.cpp
+++ b/src/ripple/rpc/impl/ServerHandlerImp.cpp
@@ -599,6 +599,16 @@ ServerHandlerImp::processRequest (Port const& port,
    {
        Json::Value const& jsonRPC =
            batch ? jsonOrig[jss::params][i] : jsonOrig;
+
+        if (!jsonRPC.isObject())
+        {
+            Json::Value r(Json::objectValue);
+            r[jss::request] = jsonRPC;
+            r[jss::error] = make_json_error(method_not_found, "Method not found");
+            reply.append(r);
+            continue;
+        }
+
        /* ------------------------------------------------------------------ */
        auto role = Role::FORBID;
        auto required = Role::FORBID;
@@ -740,8 +750,26 @@ ServerHandlerImp::processRequest (Port const& port,
        }

        std::string ripplerpc = "1.0";
-        if (params.isMember(jss::ripplerpc) && params[jss::ripplerpc] != "1.0")
+        if (params.isMember(jss::ripplerpc))
+        {
+            if (!params[jss::ripplerpc].isString())
+            {
+                usage.charge(Resource::feeInvalidRPC);
+                if (!batch)
+                {
+                    HTTPReply(400, "ripplerpc is not a string", output, rpcJ);
+                    return;
+                }
+
+                Json::Value r = jsonRPC;
+                r[jss::error] = make_json_error(
+                    method_not_found, "ripplerpc is not a string");
+                reply.append(r);
+                continue;
+            }
            ripplerpc = params[jss::ripplerpc].asString();
+        }
+
        /**
         * Clear header-assigned values if not positively identified from a
         * secure_gateway.