search

code-423n4 / 2024-03-phala-network-findings

0 stars 0 forks source link

Recursive HTTP requests is possible which can be used to DoS a particular worker #66

Closed c4-bot-4 closed 6 months ago

c4-bot-4 commented 6 months ago

Lines of code

https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/lib.rs#L186 https://github.com/code-423n4/2024-03-phala-network/blob/a01ffbe992560d8d0f17deadfb9b9a2bed38377e/phala-blockchain/crates/pink/chain-extension/src/lib.rs#L194

Vulnerability details

Impact

Pink Extension provides the possibility to make HTTP requests as a feature through a query.

When sending a query, the user can send it to a particular worker. A malicious actor can utilize this and make HTTP requests recursivly to the same worker so that it consumes huge resources from the worker, eventually, leading to a temporary DoS or possibly a crash if the consumption hits the hard limit set for the worker.

Proof of Concept

  1. There is no validation against the URLs when making HTTP requests.

  2. The current timeout is set to 10 seconds

    fn http_request(&self, request: HttpRequest) -> Result<HttpResponse, Self::Error> {
    http_request(request, 10 * 1000).map_err(|err| err.display().into())
}

    chain-extension/src/lib.rs#L186 However, when using batch requests, the timeout can be increased freely. So, if 10 seconds aren't enough,the malicious actor can increase it as desired.

    fn batch_http_request(
    &self,
    requests: Vec<HttpRequest>,
    timeout_ms: u64,
) -> Result<ext::BatchHttpResult, Self::Error> {
    Ok(batch_http_request(requests, timeout_ms))
}

    chain-extension/src/lib.rs#L194

The high level attack path as follows:

Please note, this attack can be initiated multiple times as once (i.e. the attacker can send many queries, each starts the path above). This way, the resources consumption get even higher.

Tools Used

Manual analysis

Recommended Mitigation Steps

Disallow the worker to make http requests to its self.

Assessed type

DoS

c4-pre-sort commented 6 months ago

141345 marked the issue as primary issue

c4-pre-sort commented 6 months ago

141345 marked the issue as sufficient quality report

141345 commented 6 months ago

recursive http request to the same worker

kvinwang commented 6 months ago

Disallow the worker to make http requests to its self.

This is not an issue can be simply solved in the runtime library. There is no way to prevent recursive HTTP requests at all. And below is our current solution.

However, when using batch requests, the timeout can be increased freely. So, if 10 seconds aren't enough,the malicious actor can increase it as desired.

The batch HTTP request extension calls into the worker through ocalls here, where the timeout is limited to 10 seconds.

There is a strict 10-second limit in the worker for each query RPC call. Therefore, regardless of the number of outgoing HTTP requests made in a single query, the overall timeout remains at 10 seconds.

Additionally, there is a maximum concurrent query limit in the worker, preventing recursive HTTP requests from being executed infinitely.

Moreover, the worker has a query scheduler. If queries to a contract take a significant amount of time, they receive lower priority in subsequent queries. This means that if an attacker frequently calls a malicious contract while there are many normal queries being processed simultaneously, the malicious contract would be dropped due to its low priority.

c4-sponsor commented 6 months ago

kvinwang (sponsor) disputed

c4-judge commented 6 months ago

OpenCoreCH marked the issue as unsatisfactory: Invalid