GRY-01-002 WP1: sanitizing transaction data

greymass · Oct 16, 2024 · d1c7a75 · d1c7a75
1 parent 6e8d2f1
commit d1c7a75
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 2 deletions.
diff --git a/packages/snap/snap.manifest.json b/packages/snap/snap.manifest.json
@@ -7,7 +7,7 @@
     "url": "https://github.com/@greymass/antelope-snap.git"
   },
   "source": {
-    "shasum": "ZRXhKVwCKT0RTuBwE7IcYbge2YkMkQ5ogyteqFnmuwc=",
+    "shasum": "+FP/f5IPNs8hzqU0H0eO767Pjdip+9AKgZnaM5kXcUo=",
     "location": {
       "npm": {
         "filePath": "dist/bundle.js",

diff --git a/packages/snap/src/rpc.ts b/packages/snap/src/rpc.ts
@@ -29,14 +29,36 @@ export async function getPublicKey(request: AntelopeRequest): Promise<string> {
   return String(await derivePublicKey(chain));
 }
 
+const MAX_TRANSACTION_LENGTH = 10000;
+
 export async function signTransaction(
   request: AntelopeSignatureRequest,
 ): Promise<Signature | undefined> {
   // Process incoming transaction
   if (!request.params?.transaction) {
     throw new Error('Missing transaction in request params');
   }
-  const transaction = Transaction.from(JSON.parse(request.params.transaction));
+
+  // Check the length of the transaction string
+  if (request.params.transaction.length > MAX_TRANSACTION_LENGTH) {
+    throw new Error('Transaction data is too large');
+  }
+
+  let transactionData;
+  try {
+    // Attempt to parse the transaction data
+    transactionData = JSON.parse(request.params.transaction);
+  } catch (error) {
+    throw new Error(`Invalid JSON transaction data: ${(error as Error).stack}`);
+  }
+
+  let transaction;
+  try {
+    // Attempt to create a Transaction object from the parsed data
+    transaction = Transaction.from(transactionData);
+  } catch (error) {
+    throw new Error(`Invalid transaction format: ${(error as Error).stack}`);
+  }
 
   // Load the appropriate chain definition
   if (!request.params?.chainId) {