fix: added checks for max graffiti size

remoterami · remoterami · commit d0a4e7a7a150 · 2025-01-07T12:26:37.000+01:00
diff --git a/backend/pkg/api/data_access/search.go b/backend/pkg/api/data_access/search.go
@@ -100,9 +100,11 @@ func (d *DataAccessService) GetSearchValidatorsByWithdrawalEnsName(ctx context.C
 
 func (d *DataAccessService) GetSearchValidatorsByGraffiti(ctx context.Context, chainId uint64, graffiti string) (*t.SearchValidatorsByGraffiti, error) {
 	// TODO: implement handling of chainid
+	graffitiHex := [32]byte{}
+	copy(graffitiHex[:], graffiti)
 	ret := &t.SearchValidatorsByGraffiti{
 		Graffiti: graffiti,
-		Hex:      hexutil.Encode([]byte(graffiti)),
+		Hex:      hexutil.Encode(graffitiHex[:]),
 	}
 	err := db.ReaderDb.GetContext(ctx, &ret.Count, "select count(distinct proposer) from blocks where graffiti_text = $1;", graffiti)
 	if err != nil {
diff --git a/backend/pkg/api/handlers/input_validation.go b/backend/pkg/api/handlers/input_validation.go
@@ -34,9 +34,9 @@ var (
 	reEthereumAddress              = regexp.MustCompile(`^(0x)?[0-9a-fA-F]{40}$`)
 	reWithdrawalCredential         = regexp.MustCompile(`^(0x0[01])?[0-9a-fA-F]{62}$`)
 	reEnsName                      = regexp.MustCompile(`^.+\.eth$`)
-	reGraffiti                     = regexp.MustCompile(`^.{2,}$`)                     // at least 2 characters, so that queries won't time out
-	reGraffitiHex                  = regexp.MustCompile(`^(0x)?([0-9a-fA-F]{2}){2,}$`) // at least 2 bytes, so that queries won't time out
-	reCursor                       = regexp.MustCompile(`^[A-Za-z0-9-_]+$`)            // has to be base64
+	reGraffiti                     = regexp.MustCompile(`^.{2,32}$`) // at least 2 characters, so that queries won't time out
+	reGraffitiHex                  = regexp.MustCompile(`^(0x)?([0-9a-fA-F]{2}){32}$`)
+	reCursor                       = regexp.MustCompile(`^[A-Za-z0-9-_]+$`) // has to be base64
 	reEmail                        = regexp.MustCompile("^[a-zA-Z0-9.!#$%&'*+/=?^_`{|}~-]+@[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?(?:\\.[a-zA-Z0-9](?:[a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?)*$")
 	rePassword                     = regexp.MustCompile(`^.{5,}$`)
 	reEmailUserToken               = regexp.MustCompile(`^[a-z0-9]{40}$`)
diff --git a/backend/pkg/api/handlers/search.go b/backend/pkg/api/handlers/search.go
@@ -274,6 +274,10 @@ func (h *HandlerService) handleSearchValidatorsByWithdrawalEnsName(ctx context.C
 }
 
 func (h *HandlerService) handleSearchValidatorsByGraffiti(ctx context.Context, input string, chainId uint64) (*types.SearchResult, error) {
+	// regex could only verify max character length, validate max byte length here
+	if len(input) > 32 {
+		return nil, nil // return no error as to not disturb the other search types
+	}
 	result, err := h.daService.GetSearchValidatorsByGraffiti(ctx, chainId, input)
 	return asSearchResult(validatorsByGraffiti, chainId, result, err)
 }

Original file line number	Diff line number	Diff line change
`@@ -274,6 +274,10 @@ func (h *HandlerService) handleSearchValidatorsByWithdrawalEnsName(ctx context.C`
`274`	`274`	`}`
`275`	`275`
`276`	`276`	`func (h HandlerService) handleSearchValidatorsByGraffiti(ctx context.Context, input string, chainId uint64) (types.SearchResult, error) {`
	`277`	`+ // regex could only verify max character length, validate max byte length here`
	`278`	`+ if len(input) > 32 {`
	`279`	`+ return nil, nil // return no error as to not disturb the other search types`
	`280`	`+ }`
`277`	`281`	`result, err := h.daService.GetSearchValidatorsByGraffiti(ctx, chainId, input)`
`278`	`282`	`return asSearchResult(validatorsByGraffiti, chainId, result, err)`
`279`	`283`	`}`