search

LiskArchive / lisk-sdk

🔩 Lisk software development kit
https://lisk.com
Apache License 2.0
2.72k stars 455 forks source link

Insufficient data validation in Validators module #8476

Closed shuse2 closed 1 year ago

shuse2 commented 1 year ago

Expected behavior

Input to the validators method and endpoint should be validated although in the mainchain protocol, it is indirectly validated in the commands which calls the methods.

Actual behavior

Some length checks in https://github.com/LiskHQ/lisk-sdk/blob/89e7504ef5eb6183aefe576a93be3d6052e56038/framework/src/modules/validators/method.ts or https://github.com/LiskHQ/lisk-sdk/blob/89e7504ef5eb6183aefe576a93be3d6052e56038/framework/src/modules/validators/endpoint.ts#L30 are missing

Steps to reproduce

N/A

Which version(s) does this affect? (Environment, OS, etc...)

6.0.0-beta.1-

shuse2 commented 1 year ago

in the validator method and endpoint, popVerify is called in the internal method and it will return false if the size does not match. Therefore, it is not required to check upfront