fix: Add more account check (#1543)

Make sure all char is alphanumeric for account
XRPLF · Jul 18, 2024 · 665fab1 · 665fab1
1 parent b65ac67
commit 665fab1
Show file tree

Hide file tree

Showing 11 changed files with 183 additions and 37 deletions.
diff --git a/src/rpc/RPCHelpers.cpp b/src/rpc/RPCHelpers.cpp
@@ -24,6 +24,7 @@
 #include "rpc/Errors.hpp"
 #include "rpc/JS.hpp"
 #include "rpc/common/Types.hpp"
+#include "util/AccountUtils.hpp"
 #include "util/Profiler.hpp"
 #include "util/log/Logger.hpp"
 #include "web/Context.hpp"
@@ -186,14 +187,14 @@ accountFromStringStrict(std::string const& account)
     if (blob && ripple::publicKeyType(ripple::makeSlice(*blob))) {
         publicKey = ripple::PublicKey(ripple::Slice{blob->data(), blob->size()});
     } else {
-        publicKey = ripple::parseBase58<ripple::PublicKey>(ripple::TokenType::AccountPublic, account);
+        publicKey = util::parseBase58Wrapper<ripple::PublicKey>(ripple::TokenType::AccountPublic, account);
     }
 
     std::optional<ripple::AccountID> result;
     if (publicKey) {
         result = ripple::calcAccountID(*publicKey);
     } else {
-        result = ripple::parseBase58<ripple::AccountID>(account);
+        result = util::parseBase58Wrapper<ripple::AccountID>(account);
     }
 
     return result;
@@ -799,7 +800,7 @@ getAccountsFromTransaction(boost::json::object const& transaction)
             auto inObject = getAccountsFromTransaction(value.as_object());
             accounts.insert(accounts.end(), inObject.begin(), inObject.end());
         } else if (value.is_string()) {
-            auto const account = ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(value));
+            auto const account = util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(value));
             if (account) {
                 accounts.push_back(*account);
             }

diff --git a/src/rpc/common/Validators.cpp b/src/rpc/common/Validators.cpp
@@ -22,6 +22,7 @@
 #include "rpc/Errors.hpp"
 #include "rpc/RPCHelpers.hpp"
 #include "rpc/common/Types.hpp"
+#include "util/AccountUtils.hpp"
 
 #include <boost/json/object.hpp>
 #include <boost/json/value.hpp>
@@ -114,7 +115,7 @@ CustomValidator AccountBase58Validator =
         if (!value.is_string())
             return Error{Status{RippledError::rpcINVALID_PARAMS, std::string(key) + "NotString"}};
 
-        auto const account = ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(value));
+        auto const account = util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(value));
         if (!account || account->isZero())
             return Error{Status{ClioError::rpcMALFORMED_ADDRESS}};
 

diff --git a/src/rpc/handlers/GatewayBalances.hpp b/src/rpc/handlers/GatewayBalances.hpp
@@ -25,6 +25,7 @@
 #include "rpc/common/Specs.hpp"
 #include "rpc/common/Types.hpp"
 #include "rpc/common/Validators.hpp"
+#include "util/AccountUtils.hpp"
 
 #include <boost/json/array.hpp>
 #include <boost/json/conversion.hpp>
@@ -116,14 +117,14 @@ class GatewayBalancesHandler {
                 auto const wallets = value.is_array() ? value.as_array() : boost::json::array{value};
                 auto const getAccountID = [](auto const& j) -> std::optional<ripple::AccountID> {
                     if (j.is_string()) {
-                        auto const pk = ripple::parseBase58<ripple::PublicKey>(
+                        auto const pk = util::parseBase58Wrapper<ripple::PublicKey>(
                             ripple::TokenType::AccountPublic, boost::json::value_to<std::string>(j)
                         );
 
                         if (pk)
                             return ripple::calcAccountID(*pk);
 
-                        return ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(j));
+                        return util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(j));
                     }
 
                     return {};

diff --git a/src/rpc/handlers/GetAggregatePrice.cpp b/src/rpc/handlers/GetAggregatePrice.cpp
@@ -23,6 +23,7 @@
 #include "rpc/JS.hpp"
 #include "rpc/RPCHelpers.hpp"
 #include "rpc/common/Types.hpp"
+#include "util/AccountUtils.hpp"
 
 #include <boost/asio/spawn.hpp>
 #include <boost/bimap/bimap.hpp>
@@ -263,7 +264,7 @@ tag_invoke(boost::json::value_to_tag<GetAggregatePriceHandler::Input>, boost::js
     for (auto const& oracle : jsonObject.at(JS(oracles)).as_array()) {
         input.oracles.push_back(GetAggregatePriceHandler::Oracle{
             .documentId = boost::json::value_to<std::uint64_t>(oracle.as_object().at(JS(oracle_document_id))),
-            .account = *ripple::parseBase58<ripple::AccountID>(
+            .account = *util::parseBase58Wrapper<ripple::AccountID>(
                 boost::json::value_to<std::string>(oracle.as_object().at(JS(account)))
             )
         });

diff --git a/src/rpc/handlers/LedgerEntry.cpp b/src/rpc/handlers/LedgerEntry.cpp
@@ -23,6 +23,7 @@
 #include "rpc/JS.hpp"
 #include "rpc/RPCHelpers.hpp"
 #include "rpc/common/Types.hpp"
+#include "util/AccountUtils.hpp"
 
 #include <boost/json/conversion.hpp>
 #include <boost/json/object.hpp>
@@ -62,9 +63,9 @@ LedgerEntryHandler::process(LedgerEntryHandler::Input input, Context const& ctx)
     if (input.index) {
         key = ripple::uint256{std::string_view(*(input.index))};
     } else if (input.accountRoot) {
-        key = ripple::keylet::account(*ripple::parseBase58<ripple::AccountID>(*(input.accountRoot))).key;
+        key = ripple::keylet::account(*util::parseBase58Wrapper<ripple::AccountID>(*(input.accountRoot))).key;
     } else if (input.did) {
-        key = ripple::keylet::did(*ripple::parseBase58<ripple::AccountID>(*(input.did))).key;
+        key = ripple::keylet::did(*util::parseBase58Wrapper<ripple::AccountID>(*(input.did))).key;
     } else if (input.directory) {
         auto const keyOrStatus = composeKeyFromDirectory(*input.directory);
         if (auto const status = std::get_if<Status>(&keyOrStatus))
@@ -73,13 +74,14 @@ LedgerEntryHandler::process(LedgerEntryHandler::Input input, Context const& ctx)
         key = std::get<ripple::uint256>(keyOrStatus);
     } else if (input.offer) {
         auto const id =
-            ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(input.offer->at(JS(account))));
+            util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(input.offer->at(JS(account)))
+            );
         key = ripple::keylet::offer(*id, boost::json::value_to<std::uint32_t>(input.offer->at(JS(seq)))).key;
     } else if (input.rippleStateAccount) {
-        auto const id1 = ripple::parseBase58<ripple::AccountID>(
+        auto const id1 = util::parseBase58Wrapper<ripple::AccountID>(
             boost::json::value_to<std::string>(input.rippleStateAccount->at(JS(accounts)).as_array().at(0))
         );
-        auto const id2 = ripple::parseBase58<ripple::AccountID>(
+        auto const id2 = util::parseBase58Wrapper<ripple::AccountID>(
             boost::json::value_to<std::string>(input.rippleStateAccount->at(JS(accounts)).as_array().at(1))
         );
         auto const currency =
@@ -88,20 +90,22 @@ LedgerEntryHandler::process(LedgerEntryHandler::Input input, Context const& ctx)
         key = ripple::keylet::line(*id1, *id2, currency).key;
     } else if (input.escrow) {
         auto const id =
-            ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(input.escrow->at(JS(owner))));
+            util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(input.escrow->at(JS(owner)))
+            );
         key = ripple::keylet::escrow(*id, input.escrow->at(JS(seq)).as_int64()).key;
     } else if (input.depositPreauth) {
-        auto const owner = ripple::parseBase58<ripple::AccountID>(
+        auto const owner = util::parseBase58Wrapper<ripple::AccountID>(
             boost::json::value_to<std::string>(input.depositPreauth->at(JS(owner)))
         );
-        auto const authorized = ripple::parseBase58<ripple::AccountID>(
+        auto const authorized = util::parseBase58Wrapper<ripple::AccountID>(
             boost::json::value_to<std::string>(input.depositPreauth->at(JS(authorized)))
         );
 
         key = ripple::keylet::depositPreauth(*owner, *authorized).key;
     } else if (input.ticket) {
         auto const id =
-            ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(input.ticket->at(JS(account))));
+            util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(input.ticket->at(JS(account))
+            ));
 
         key = ripple::getTicketIndex(*id, input.ticket->at(JS(ticket_seq)).as_int64());
     } else if (input.amm) {
@@ -112,7 +116,8 @@ LedgerEntryHandler::process(LedgerEntryHandler::Input input, Context const& ctx)
                 return ripple::xrpIssue();
             }
             auto const issuer =
-                ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(assetJson.at(JS(issuer))));
+                util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(assetJson.at(JS(issuer)))
+                );
             return ripple::Issue{currency, *issuer};
         };
 
@@ -125,7 +130,7 @@ LedgerEntryHandler::process(LedgerEntryHandler::Input input, Context const& ctx)
             return Error{Status{ClioError::rpcMALFORMED_REQUEST}};
 
         if (input.bridgeAccount) {
-            auto const bridgeAccount = ripple::parseBase58<ripple::AccountID>(*(input.bridgeAccount));
+            auto const bridgeAccount = util::parseBase58Wrapper<ripple::AccountID>(*(input.bridgeAccount));
             auto const chainType = ripple::STXChainBridge::srcChain(bridgeAccount == input.bridge->lockingChainDoor());
 
             if (bridgeAccount != input.bridge->door(chainType))
@@ -201,7 +206,7 @@ LedgerEntryHandler::composeKeyFromDirectory(boost::json::object const& directory
     }
 
     auto const ownerID =
-        ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(directory.at(JS(owner))));
+        util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(directory.at(JS(owner))));
     return ripple::keylet::page(ripple::keylet::ownerDir(*ownerID), subIndex).key;
 }
 
@@ -262,10 +267,10 @@ tag_invoke(boost::json::value_to_tag<LedgerEntryHandler::Input>, boost::json::va
     };
 
     auto const parseBridgeFromJson = [](boost::json::value const& bridgeJson) {
-        auto const lockingDoor = *ripple::parseBase58<ripple::AccountID>(
+        auto const lockingDoor = *util::parseBase58Wrapper<ripple::AccountID>(
             boost::json::value_to<std::string>(bridgeJson.at(ripple::sfLockingChainDoor.getJsonName().c_str()))
         );
-        auto const issuingDoor = *ripple::parseBase58<ripple::AccountID>(
+        auto const issuingDoor = *util::parseBase58Wrapper<ripple::AccountID>(
             boost::json::value_to<std::string>(bridgeJson.at(ripple::sfIssuingChainDoor.getJsonName().c_str()))
         );
         auto const lockingIssue =
@@ -278,7 +283,7 @@ tag_invoke(boost::json::value_to_tag<LedgerEntryHandler::Input>, boost::json::va
 
     auto const parseOracleFromJson = [](boost::json::value const& json) {
         auto const account =
-            ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(json.at(JS(account))));
+            util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(json.at(JS(account))));
         auto const documentId = boost::json::value_to<uint32_t>(json.at(JS(oracle_document_id)));
 
         return ripple::keylet::oracle(*account, documentId).key;

diff --git a/src/rpc/handlers/LedgerEntry.hpp b/src/rpc/handlers/LedgerEntry.hpp
@@ -28,6 +28,7 @@
 #include "rpc/common/Specs.hpp"
 #include "rpc/common/Types.hpp"
 #include "rpc/common/Validators.hpp"
+#include "util/AccountUtils.hpp"
 
 #include <boost/json/conversion.hpp>
 #include <boost/json/object.hpp>
@@ -136,9 +137,11 @@ class LedgerEntryHandler {
                 }
 
                 auto const id1 =
-                    ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(value.as_array()[0]));
+                    util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(value.as_array()[0])
+                    );
                 auto const id2 =
-                    ripple::parseBase58<ripple::AccountID>(boost::json::value_to<std::string>(value.as_array()[1]));
+                    util::parseBase58Wrapper<ripple::AccountID>(boost::json::value_to<std::string>(value.as_array()[1])
+                    );
 
                 if (!id1 || !id2)
                     return Error{Status{ClioError::rpcMALFORMED_ADDRESS, "malformedAddresses"}};

diff --git a/src/util/AccountUtils.hpp b/src/util/AccountUtils.hpp
@@ -0,0 +1,67 @@
+//------------------------------------------------------------------------------
+/*
+    This file is part of clio: https://github.com/XRPLF/clio
+    Copyright (c) 2024, the clio developers.
+
+    Permission to use, copy, modify, and distribute this software for any
+    purpose with or without fee is hereby granted, provided that the above
+    copyright notice and this permission notice appear in all copies.
+
+    THE  SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+    WITH  REGARD  TO  THIS  SOFTWARE  INCLUDING  ALL  IMPLIED  WARRANTIES  OF
+    MERCHANTABILITY  AND  FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+    ANY  SPECIAL,  DIRECT,  INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+    WHATSOEVER  RESULTING  FROM  LOSS  OF USE, DATA OR PROFITS, WHETHER IN AN
+    ACTION  OF  CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+    OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+*/
+//==============================================================================
+
+#pragma once
+
+#include <ripple/protocol/tokens.h>
+
+#include <cctype>
+#include <optional>
+#include <string>
+
+namespace util {
+
+/**
+ * @brief A wrapper of parseBase58 function. It adds the check if all characters in the input string are alphanumeric.
+ * If not, it returns an empty optional, instead of calling the parseBase58 function.
+ *
+ * @tparam T The type of the value to parse to.
+ * @param str The string to parse.
+ * @return An optional with the parsed value, or an empty optional if the parse fails.
+ */
+template <class T>
+[[nodiscard]] std::optional<T>
+parseBase58Wrapper(std::string const& str)
+{
+    if (!std::all_of(std::begin(str), std::end(str), [](unsigned char c) { return std::isalnum(c); }))
+        return std::nullopt;
+
+    return ripple::parseBase58<T>(str);
+}
+
+/**
+ * @brief A wrapper of parseBase58 function. It add the check if all characters in the input string are alphanumeric. If
+ * not, it returns an empty optional, instead of calling the parseBase58 function.
+ *
+ * @tparam T The type of the value to parse to.
+ * @param type The type of the token to parse.
+ * @param str The string to parse.
+ * @return An optional with the parsed value, or an empty optional if the parse fails.
+ */
+template <class T>
+[[nodiscard]] std::optional<T>
+parseBase58Wrapper(ripple::TokenType type, std::string const& str)
+{
+    if (!std::all_of(std::begin(str), std::end(str), [](unsigned char c) { return std::isalnum(c); }))
+        return std::nullopt;
+
+    return ripple::parseBase58<T>(type, str);
+}
+
+}  // namespace util