fix: added checks for max graffiti size

gobitfly · Jan 7, 2025 · d0a4e7a · d0a4e7a
1 parent f698e55
commit d0a4e7a
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 4 deletions.
diff --git a/backend/pkg/api/data_access/search.go b/backend/pkg/api/data_access/search.go
@@ -100,9 +100,11 @@ func (d *DataAccessService) GetSearchValidatorsByWithdrawalEnsName(ctx context.C
 
 func (d *DataAccessService) GetSearchValidatorsByGraffiti(ctx context.Context, chainId uint64, graffiti string) (*t.SearchValidatorsByGraffiti, error) {
 	// TODO: implement handling of chainid
+	graffitiHex := [32]byte{}
+	copy(graffitiHex[:], graffiti)
 	ret := &t.SearchValidatorsByGraffiti{
 		Graffiti: graffiti,
-		Hex:      hexutil.Encode([]byte(graffiti)),
+		Hex:      hexutil.Encode(graffitiHex[:]),
 	}
 	err := db.ReaderDb.GetContext(ctx, &ret.Count, "select count(distinct proposer) from blocks where graffiti_text = $1;", graffiti)
 	if err != nil {

diff --git a/backend/pkg/api/handlers/input_validation.go b/backend/pkg/api/handlers/input_validation.go
@@ -34,9 +34,9 @@ var (
 	reEthereumAddress              = regexp.MustCompile(`^(0x)?[0-9a-fA-F]{40}$`)
 	reWithdrawalCredential         = regexp.MustCompile(`^(0x0[01])?[0-9a-fA-F]{62}$`)
 	reEnsName                      = regexp.MustCompile(`^.+\.eth$`)
-	reGraffiti                     = regexp.MustCompile(`^.{2,}$`)                     // at least 2 characters, so that queries won't time out
-	reGraffitiHex                  = regexp.MustCompile(`^(0x)?([0-9a-fA-F]{2}){2,}$`) // at least 2 bytes, so that queries won't time out
-	reCursor                       = regexp.MustCompile(`^[A-Za-z0-9-_]+$`)            // has to be base64
+	reGraffiti                     = regexp.MustCompile(`^.{2,32}$`) // at least 2 characters, so that queries won't time out
+	reGraffitiHex                  = regexp.MustCompile(`^(0x)?([0-9a-fA-F]{2}){32}$`)
+	reCursor                       = regexp.MustCompile(`^[A-Za-z0-9-_]+$`) // has to be base64
 	reEmail                        = regexp.MustCompile("^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$")
 	rePassword                     = regexp.MustCompile(`^.{5,}$`)
 	reEmailUserToken               = regexp.MustCompile(`^[a-z0-9]{40}$`)

diff --git a/backend/pkg/api/handlers/search.go b/backend/pkg/api/handlers/search.go
@@ -274,6 +274,10 @@ func (h *HandlerService) handleSearchValidatorsByWithdrawalEnsName(ctx context.C
 }
 
 func (h *HandlerService) handleSearchValidatorsByGraffiti(ctx context.Context, input string, chainId uint64) (*types.SearchResult, error) {
+	// regex could only verify max character length, validate max byte length here
+	if len(input) > 32 {
+		return nil, nil // return no error as to not disturb the other search types
+	}
 	result, err := h.daService.GetSearchValidatorsByGraffiti(ctx, chainId, input)
 	return asSearchResult(validatorsByGraffiti, chainId, result, err)
 }