Rpc Server: WitnessRules potential DDOS

[cschuchardt88]

Summary or problem description
There is a potential problem with rpc server with signer rules. The neo function see below doesn't pass the max depth for json object. This will allow someone to DDOS all Rpc nodes. I will not post the way to do this here.

neo/src/Neo/Network/P2P/Payloads/WitnessRule.cs

Line 63 in 4e9314d

Condition = WitnessCondition.FromJson((JObject)json["condition"])

https://github.com/neo-project/neo-modules/blob/09c2879958a916e0867fc78c64a04edfabe6935f/src/RpcServer/RpcServer.SmartContract.cs#L166-L182

Do you have any solution you want to propose?
Put a max depth

Where in the software does this update applies to?

• RPC (HTTP)

[roman-khimov]

Please check https://github.com/neo-project/neo/security and https://neo.org/bounty for proper reporting of any security issues.

[shargon]

https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.server.kestrel.core.kestrelserverlimits.maxrequestbodysize?view=aspnetcore-7.0

By default, Kestrel has a maximum of 30MB for body length and we already have an authentication mechanism; Btw, we can lower this limit.

[cschuchardt88]

But what about Akka? This can affect that as well and ISerializable. But that has limits right? On how big the packet can be? 1MB?

@shargon What is the max allow Conditions for an transaction? If there isn't one I think there should be one.

[shargon]

The neo function see below doesn't pass the max depth for json object

Do you think that's not enough with

neo/src/Neo/Network/P2P/Payloads/Conditions/WitnessCondition.cs

Lines 24 to 25 in 5207956

	private const int MaxSubitems = 16;
	internal const int MaxNestingDepth = 2;

?

[cschuchardt88]

Yes.

but if it isn't than they can send another transaction to make up for it?