feat: enhanced ws server validating logic on json rpc message object and supported methods (#2470) (#2471)

* feat: added new helper methods

Signed-off-by: Logan Nguyen <[email protected]>

* feat: added validation for both the JSON-RPC message object and its corresponding methods

Signed-off-by: Logan Nguyen <[email protected]>

* test: added unit and acceptance tests

Signed-off-by: Logan Nguyen <[email protected]>

---------

Signed-off-by: Logan Nguyen <[email protected]>

Author: quiet-node

packages/ws-server/package.json

@@ -47,7 +47,7 @@
     "compile": "tsc -b tsconfig.json",
     "acceptancetest": "ts-mocha tests/acceptance/index.spec.ts",
     "start": "node dist/index.js",
-    "test": "",
+    "test:unit": "nyc ts-mocha --recursive './tests/unit/**/*.spec.ts' --exit",
     "integration:prerequisite": "ts-node ./tests/helpers/prerequisite.ts"
   },
   "nyc": {

packages/ws-server/src/utils/constants.ts

@@ -89,22 +89,22 @@ export const WS_CONSTANTS = {
   },
   METHODS: {
     ETH_CALL: 'eth_call',
-    ETH_CHAIN_ID: 'eth_chainId',
-    ETH_GET_LOGS: 'eth_getLogs',
-    ETH_GET_CODE: 'eth_getCode',
-    ETH_GAS_PRICE: 'eth_gasPrice',
+    ETH_CHAINID: 'eth_chainId',
+    ETH_GETLOGS: 'eth_getLogs',
+    ETH_GETCODE: 'eth_getCode',
+    ETH_GASPRICE: 'eth_gasPrice',
     ETH_SUBSCRIBE: 'eth_subscribe',
-    ETH_GET_BALANCE: 'eth_getBalance',
+    ETH_GETBALANCE: 'eth_getBalance',
     ETH_UNSUBSCRIBE: 'eth_unsubscribe',
-    ETH_BLOCK_NUMBER: 'eth_blockNumber',
-    ETH_ESTIMATE_GAS: 'eth_estimateGas',
-    ETH_GET_STORAGE_AT: 'eth_getStorageAt',
-    ETH_GET_BLOCK_BY_HASH: 'eth_getBlockByHash',
-    ETH_GET_BLOCK_BY_NUMBER: 'eth_getBlockByNumber',
-    ETH_SEND_RAW_TRANSACTION: 'eth_sendRawTransaction',
-    ETH_GET_TRANSACTION_COUNT: 'eth_getTransactionCount',
-    ETH_GET_TRANSACTION_BY_HASH: 'eth_getTransactionByHash',
-    ETH_GET_TRANSACTION_RECEIPT: 'eth_getTransactionReceipt',
-    ETH_MAX_PRIORITY_FEE_PER_GAS: 'eth_maxPriorityFeePerGas',
+    ETH_BLOCKNUMBER: 'eth_blockNumber',
+    ETH_ESTIMATEGAS: 'eth_estimateGas',
+    ETH_GETSTORAGEAT: 'eth_getStorageAt',
+    ETH_GETBLOCKBYHASH: 'eth_getBlockByHash',
+    ETH_GETBLOCKBYNUMBER: 'eth_getBlockByNumber',
+    ETH_SENDRAWTRANSACTION: 'eth_sendRawTransaction',
+    ETH_GETTRANSACTIONCOUNT: 'eth_getTransactionCount',
+    ETH_GETTRANSACTIONBYHASH: 'eth_getTransactionByHash',
+    ETH_GETTRANSACTIONRECEIPT: 'eth_getTransactionReceipt',
+    ETH_MAXPRIORITYFEEPERGAS: 'eth_maxPriorityFeePerGas',
   },
 };

packages/ws-server/src/utils/utils.ts

@@ -18,10 +18,15 @@
  *
  */
 
-import { predefined, Relay } from '@hashgraph/json-rpc-relay';
+import { WS_CONSTANTS } from './constants';
 import WsMetricRegistry from '../metrics/wsMetricRegistry';
 import ConnectionLimiter from '../metrics/connectionLimiter';
-import { WS_CONSTANTS } from './constants';
+import { predefined, Relay } from '@hashgraph/json-rpc-relay';
+
+const hasOwnProperty = (obj: any, prop: any) => Object.prototype.hasOwnProperty.call(obj, prop);
+const getRequestIdIsOptional = () => {
+  return process.env.REQUEST_ID_IS_OPTIONAL === 'true';
+};
 
 /**
  * Handles the closure of a WebSocket connection.
@@ -130,6 +135,34 @@ export const handleSendingRequestsToRelay = async (
     throw predefined.INTERNAL_ERROR(JSON.stringify(error.message || error));
   }
 };
+/**
+ * Validates a JSON-RPC request to ensure it has the correct JSON-RPC version, method, and id.
+ * @param {any} request - The JSON-RPC request object.
+ * @param {any} logger - The logger instance used for logging.
+ * @param {string} requestIdPrefix - The prefix to use for the request ID.
+ * @param {string} connectionIdPrefix - The prefix to use for the connection ID.
+ * @returns {boolean} A boolean indicating whether the request is valid.
+ */
+export const validateJsonRpcRequest = (
+  request: any,
+  logger: any,
+  requestIdPrefix: string,
+  connectionIdPrefix: string,
+): boolean => {
+  if (
+    request.jsonrpc !== '2.0' ||
+    !hasOwnProperty(request, 'method') ||
+    hasInvalidReqestId(request, logger, requestIdPrefix, connectionIdPrefix) ||
+    !hasOwnProperty(request, 'id')
+  ) {
+    logger.warn(
+      `${connectionIdPrefix} ${requestIdPrefix} Invalid request, body.jsonrpc: ${request.jsonrpc}, body[method]: ${request.method}, body[id]: ${request.id}, ctx.request.method: ${request.method}`,
+    );
+    return false;
+  } else {
+    return true;
+  }
+};
 
 /**
  * Resolves parameters based on the provided method.
@@ -139,7 +172,7 @@ export const handleSendingRequestsToRelay = async (
  */
 export const resolveParams = (method: string, params: any): any[] => {
   switch (method) {
-    case WS_CONSTANTS.METHODS.ETH_GET_LOGS:
+    case WS_CONSTANTS.METHODS.ETH_GETLOGS:
       return [params[0].blockHash, params[0].fromBlock, params[0].toBlock, params[0].address, params[0].topics];
     default:
       return params;
@@ -155,3 +188,40 @@ export const resolveParams = (method: string, params: any): any[] => {
 export const constructRequestTag = (method: string, params: any): string => {
   return JSON.stringify({ method, params });
 };
+
+/**
+ * Verifies if the provided method is supported.
+ * @param {string} method - The method to verify.
+ * @returns {boolean} A boolean indicating whether the method is supported.
+ */
+export const verifySupportedMethod = (method: string): boolean => {
+  return hasOwnProperty(WS_CONSTANTS.METHODS, method.toUpperCase());
+};
+
+/**
+ * Checks if the JSON-RPC request has an invalid ID.
+ * @param {any} request - The JSON-RPC request object.
+ * @param {any} logger - The logger instance used for logging.
+ * @param {string} requestIdPrefix - The prefix to use for the request ID.
+ * @param {string} connectionIdPrefix - The prefix to use for the connection ID.
+ * @returns {boolean} A boolean indicating whether the request ID is invalid.
+ */
+const hasInvalidReqestId = (
+  request: any,
+  logger: any,
+  requestIdPrefix: string,
+  connectionIdPrefix: string,
+): boolean => {
+  const hasId = hasOwnProperty(request, 'id');
+
+  if (getRequestIdIsOptional() && !hasId) {
+    // If the request is invalid, we still want to return a valid JSON-RPC response, default id to 0
+    request.id = '0';
+    logger.warn(
+      `${connectionIdPrefix} ${requestIdPrefix} Optional JSON-RPC 2.0 request id encountered. Will continue and default id to 0 in response`,
+    );
+    return false;
+  }
+
+  return !hasId;
+};

packages/ws-server/src/webSocketServer.ts

@@ -35,7 +35,14 @@ import { Validator } from '@hashgraph/json-rpc-server/dist/validator';
 import { handleEthSubsribe, handleEthUnsubscribe } from './controllers';
 import jsonResp from '@hashgraph/json-rpc-server/dist/koaJsonRpc/lib/RpcResponse';
 import { type Relay, RelayImpl, predefined, JsonRpcError } from '@hashgraph/json-rpc-relay';
-import { sendToClient, handleConnectionClose, handleSendingRequestsToRelay } from './utils/utils';
+import { InvalidRequest, MethodNotFound } from '@hashgraph/json-rpc-server/dist/koaJsonRpc/lib/RpcError';
+import {
+  sendToClient,
+  validateJsonRpcRequest,
+  handleConnectionClose,
+  verifySupportedMethod,
+  handleSendingRequestsToRelay,
+} from './utils/utils';
 
 const mainLogger = pino({
   name: 'hedera-json-rpc-relay',
@@ -113,9 +120,22 @@ app.ws.use(async (ctx) => {
       return;
     }
 
+    // validate request's jsonrpc object
+    if (!validateJsonRpcRequest(request, logger, requestIdPrefix, connectionIdPrefix)) {
+      ctx.websocket.send(JSON.stringify(jsonResp(request.id || null, new InvalidRequest(), undefined)));
+      return;
+    }
+
     // Extract the method and parameters from the received request
     const { method, params } = request;
 
+    // verify supported method
+    if (!verifySupportedMethod(method)) {
+      ctx.websocket.send(JSON.stringify(jsonResp(request.id || null, new MethodNotFound(method), undefined)));
+      logger.warn(`${connectionIdPrefix} ${requestIdPrefix}: Method not found: ${method}`);
+      return;
+    }
+
     logger.debug(`${connectionIdPrefix} ${requestIdPrefix}: Method: ${method}. Params: ${JSON.stringify(params)}`);
 
     // Increment metrics for the received method

packages/ws-server/tests/acceptance/validations.spec.ts

@@ -0,0 +1,113 @@
+/*-
+ *
+ * Hedera JSON RPC Relay
+ *
+ * Copyright (C) 2024 Hedera Hashgraph, LLC
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+// external resources
+import WebSocket from 'ws';
+import { expect } from 'chai';
+import { ethers, WebSocketProvider } from 'ethers';
+import { WsTestConstant, WsTestHelper } from '../helper';
+import { InvalidRequest, MethodNotFound } from '@hashgraph/json-rpc-server/dist/koaJsonRpc/lib/RpcError';
+
+describe('@web-socket-batch-1 JSON-RPC requests validation', async function () {
+  const METHOD_NAME = 'eth_blockNumber';
+  const INVALID_REQUESTS = [
+    {
+      id: '1',
+      method: METHOD_NAME,
+      params: [],
+    },
+    {
+      id: '1',
+      jsonrpc: '2.0',
+      params: [],
+    },
+    {
+      id: '1',
+      jsonrpc: 'hedera',
+      method: METHOD_NAME,
+      params: [],
+    },
+  ];
+
+  const UNSUPPORTED_METHODS = ['eth_getChainId', 'getLogs', 'ethCall', 'blockNum', 'getGasPrice'];
+
+  let ethersWsProvider: WebSocketProvider;
+
+  beforeEach(async () => {
+    ethersWsProvider = new ethers.WebSocketProvider(WsTestConstant.WS_RELAY_URL);
+  });
+
+  afterEach(async () => {
+    if (ethersWsProvider) await ethersWsProvider.destroy();
+  });
+
+  after(async () => {
+    // expect all the connections to the WS server to be closed after all
+    expect(global.socketServer._connections).to.eq(0);
+  });
+
+  describe(WsTestConstant.STANDARD_WEB_SOCKET, () => {
+    beforeEach(() => {
+      process.env.REQUEST_ID_IS_OPTIONAL = 'true';
+    });
+    afterEach(() => {
+      delete process.env.REQUEST_ID_IS_OPTIONAL;
+    });
+
+    for (const request of INVALID_REQUESTS) {
+      it('Should reject the requests because of the invalid JSON-RPC requests', async () => {
+        const webSocket = new WebSocket(WsTestConstant.WS_RELAY_URL);
+
+        let response: any;
+
+        webSocket.on('open', () => {
+          webSocket.send(JSON.stringify(request));
+        });
+
+        webSocket.on('message', (data: string) => {
+          response = JSON.parse(data);
+        });
+
+        while (!response) {
+          await new Promise((resolve) => setTimeout(resolve, 500));
+        }
+
+        const invalidRequest = new InvalidRequest();
+
+        expect(response.error).to.exist;
+        expect(response.error.message).to.eq(invalidRequest.message);
+        expect(response.error.code).to.eq(invalidRequest.code);
+
+        webSocket.close();
+      });
+    }
+
+    for (const method of UNSUPPORTED_METHODS) {
+      it('Should reject the requests because of the invalid JSON-RPC methods', async () => {
+        const response = await WsTestHelper.sendRequestToStandardWebSocket(method, []);
+
+        const methodNotFound = new MethodNotFound(method);
+        expect(response.error).to.exist;
+        expect(response.error.message).to.eq(methodNotFound.message);
+        expect(response.error.code).to.eq(methodNotFound.code);
+      });
+    }
+  });
+});