Skip to content

Enforce Strict Input Validation and Payload Bounds on Token Store Writes [MED] #1608

Description

@HayimShaul

Description
Even after a delivery event has been authenticated, the finality listener must not blindly commit its content to the Token Store. Before invoking StoreToken or DeleteTokens, enforce explicit bounds and well-formedness checks on the incoming data: maximum payload size for raw token bytes (ledger, ledger_metadata), maximum number of token outputs per transaction, maximum batch size for bulk delete operations, and rejection of structurally invalid or oversized wallet_id / owner_raw / issuer_raw fields. These checks should be applied as a validation stage in the tokens.Service.Append call chain, before any SQL statement is issued, ensuring that even a legitimate but misbehaving peer cannot cause unbounded storage or CPU consumption in tokendb.

Short Summary
Resource exhaustion / DoS attack. Malicious users can create toxic transaction that tokenSDK will submit to the ledger and receive back finality events that cause this issue. A solution can be limiting the message size, metadata size, etc. and some validation checks.
To address this issue we need:
(1) To prevent the Ledger from sending large messages in finality we need to limit the protobuf messages. This needs to be updated in the documentation accordingly.
(2) When Alice transfers to Bob, bob needs to validate that Alice's token is not too big.

Metadata

Metadata

Labels

Type

Fields

No fields configured for Task.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions