Skip to content

Commit

Permalink
Add maxQueryLimit to feeHistory (#11973)
Browse files Browse the repository at this point in the history 
Added a maxQueryLimit constant to define the maximum number of requested
percentiles (set to 100).

This implementation is the same as Geth:
https://github.com/ethereum/go-ethereum/blob/a01e9742d997ea9e6cedfee41cba433433de9e10/eth/gasprice/feehistory.go#L245

Without this restriction, an attacker could submit a very large payload,
causing Erigon to consume over 50GB of memory.
  • Loading branch information
@boyuan-chen
boyuan-chen authored Sep 20, 2024
1 parent da6dc64 commit f0c1740
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 0 deletions.
5 changes: 5 additions & 0 deletions eth/gasprice/feehistory.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,8 @@ const (
// maxFeeHistory is the maximum number of blocks that can be retrieved for a
// fee history request.
maxFeeHistory = 1024
// maxQueryLimit is the max number of requested percentiles.
maxQueryLimit = 100
)

// blockFees represents a single block for processing
Expand Down Expand Up @@ -237,6 +239,9 @@ func (oracle *Oracle) FeeHistory(ctx context.Context, blocks int, unresolvedLast
oracle.log.Warn("Sanitizing fee history length", "requested", blocks, "truncated", maxFeeHistory)
blocks = maxFeeHistory
}
if len(rewardPercentiles) > maxQueryLimit {
return libcommon.Big0, nil, nil, nil, fmt.Errorf("%w: over the query limit %d", ErrInvalidPercentile, maxQueryLimit)

Check failure on line 243 in eth/gasprice/feehistory.go

View workflow job for this annotation

GitHub Actions / tests (ubuntu-22.04) 

not enough return values

Check failure on line 243 in eth/gasprice/feehistory.go

View workflow job for this annotation

GitHub Actions / tests (macos-14) 

not enough return values

Check failure on line 243 in eth/gasprice/feehistory.go

View workflow job for this annotation

GitHub Actions / tests-windows (windows-2022) 

not enough return values

Check failure on line 243 in eth/gasprice/feehistory.go

View workflow job for this annotation

GitHub Actions / tests-windows (windows-2022) 

not enough return values
}
for i, p := range rewardPercentiles {
if p < 0 || p > 100 {
return libcommon.Big0, nil, nil, nil, nil, nil, fmt.Errorf("%w: %f", ErrInvalidPercentile, p)
Expand Down
6 changes: 6 additions & 0 deletions eth/gasprice/feehistory_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,11 @@ import (

func TestFeeHistory(t *testing.T) {

overMaxQuery := make([]float64, 101)
for i := 0; i < 101; i++ {
overMaxQuery[i] = float64(1)
}

var cases = []struct {
pending bool
maxHeader, maxBlock int
Expand All @@ -57,6 +62,7 @@ func TestFeeHistory(t *testing.T) {
{false, 20, 2, 100, 32, []float64{0, 10}, 31, 2, nil},
{false, 0, 0, 1, rpc.PendingBlockNumber, nil, 0, 0, nil},
{false, 0, 0, 2, rpc.PendingBlockNumber, nil, 32, 1, nil},
{false, 0, 0, 10, 30, overMaxQuery, 0, 0, gasprice.ErrInvalidPercentile},
//{true, 0, 0, 2, rpc.PendingBlockNumber, nil, 32, 2, nil},
//{true, 0, 0, 2, rpc.PendingBlockNumber, []float64{0, 10}, 32, 2, nil},
}
Expand Down

0 comments on commit f0c1740

Please sign in to comment.