Skip to content

beta7: RPC/HTTP hardening — timing-safe auth, JSON depth limit, batch cap, body-size cap#124

Open
RhettCreighton wants to merge 1 commit into
masterfrom
beta7/rpc-hardening
Open

beta7: RPC/HTTP hardening — timing-safe auth, JSON depth limit, batch cap, body-size cap#124
RhettCreighton wants to merge 1 commit into
masterfrom
beta7/rpc-hardening

Conversation

@RhettCreighton

Copy link
Copy Markdown

What

Four NON-CONSENSUS RPC/HTTP hardening fixes (audit-verified):

  1. Timing-safe credential comparison (src/utilstrencodings.h) — TimingResistantEqual previously looped only a.size() times and indexed b[i % b.size()], leaking the relative lengths of the two inputs through timing. Rewritten to iterate max(a.size(), b.size()) with per-index bounds guards. Preserves the existing empty-stored-credential early return.
  2. JSON nesting depth limit (src/univalue/lib/univalue_read.cpp) — added MAX_JSON_DEPTH = 512; the parser now rejects (return false) before pushing onto the stack once the limit is reached, guarding against stack exhaustion from deeply-nested untrusted JSON.
  3. JSON-RPC batch size cap (src/rpc/server.cpp) — added MAX_BATCH_SIZE = 100; JSONRPCExecBatch throws RPC_INVALID_REQUEST ("Batch request size exceeds maximum") for oversized batches, bounding the work a single connection can queue.
  4. HTTP request body cap (src/httpserver.cpp) — replaced the ~33 MB serialization MAX_SIZE passed to evhttp_set_max_body_size with a dedicated MAX_HTTP_REQUEST_SIZE = 10 MiB, bounding per-connection memory use.

Why

These are defense-in-depth fixes for the RPC/HTTP attack surface (timing side-channel on auth, resource exhaustion via nesting/batch/body size). All identified during an audit of the RPC server.

Files touched

  • src/utilstrencodings.h
  • src/univalue/lib/univalue_read.cpp
  • src/rpc/server.cpp
  • src/httpserver.cpp

Consensus impact: none

These changes touch only RPC/HTTP request handling and an auth-string comparison — no block/tx validation, PoW/Equihash, script interpreter, hashed/signed bytes, chainparams, or activation heights are affected.


DRAFT: pending maintainer integration build + gtest.

…, batch cap, body-size cap

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@RhettCreighton RhettCreighton marked this pull request as ready for review June 5, 2026 23:55
@RhettCreighton

Copy link
Copy Markdown
Author

Build verification (maintainer): the merged beta7/integration branch — all five beta7 hardening PRs together — compiles and links cleanly via the same proot / glibc-2.29 toolchain used to build the beta6 release. 0 compile errors, portable daemon produced (glibc floor 2.29).

Each PR was also independently peer-reviewed for correctness and consensus-safety (all changes confirmed non-consensus — no effect on block/tx validation, PoW, script, or serialization of any valid object).

Marking ready for review. As usual, the full gtest + qa/rpc-tests suite should run in CI before merge.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant