beta7: RPC/HTTP hardening — timing-safe auth, JSON depth limit, batch cap, body-size cap#124
Open
RhettCreighton wants to merge 1 commit into
Open
beta7: RPC/HTTP hardening — timing-safe auth, JSON depth limit, batch cap, body-size cap#124RhettCreighton wants to merge 1 commit into
RhettCreighton wants to merge 1 commit into
Conversation
…, batch cap, body-size cap Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Author
|
✅ Build verification (maintainer): the merged Each PR was also independently peer-reviewed for correctness and consensus-safety (all changes confirmed non-consensus — no effect on block/tx validation, PoW, script, or serialization of any valid object). Marking ready for review. As usual, the full |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Four NON-CONSENSUS RPC/HTTP hardening fixes (audit-verified):
src/utilstrencodings.h) —TimingResistantEqualpreviously looped onlya.size()times and indexedb[i % b.size()], leaking the relative lengths of the two inputs through timing. Rewritten to iteratemax(a.size(), b.size())with per-index bounds guards. Preserves the existing empty-stored-credential early return.src/univalue/lib/univalue_read.cpp) — addedMAX_JSON_DEPTH = 512; the parser now rejects (return false) before pushing onto the stack once the limit is reached, guarding against stack exhaustion from deeply-nested untrusted JSON.src/rpc/server.cpp) — addedMAX_BATCH_SIZE = 100;JSONRPCExecBatchthrowsRPC_INVALID_REQUEST("Batch request size exceeds maximum") for oversized batches, bounding the work a single connection can queue.src/httpserver.cpp) — replaced the ~33 MB serializationMAX_SIZEpassed toevhttp_set_max_body_sizewith a dedicatedMAX_HTTP_REQUEST_SIZE = 10 MiB, bounding per-connection memory use.Why
These are defense-in-depth fixes for the RPC/HTTP attack surface (timing side-channel on auth, resource exhaustion via nesting/batch/body size). All identified during an audit of the RPC server.
Files touched
src/utilstrencodings.hsrc/univalue/lib/univalue_read.cppsrc/rpc/server.cppsrc/httpserver.cppConsensus impact: none
These changes touch only RPC/HTTP request handling and an auth-string comparison — no block/tx validation, PoW/Equihash, script interpreter, hashed/signed bytes, chainparams, or activation heights are affected.
DRAFT: pending maintainer integration build + gtest.