Fix validation of max addresses/topics on filter-related endpoints

Author: m-Peter

api/pull.go

@@ -247,6 +247,10 @@ func (api *PullAPI) NewFilter(ctx context.Context, criteria filters.FilterCriter
 		return "", err
 	}
 
+	if !logs.ValidCriteriaLimits(criteria) {
+		return "", errs.ErrExceedLogQueryLimit
+	}
+
 	latest, err := api.blocks.LatestEVMHeight()
 	if err != nil {
 		return "", err

api/stream.go

@@ -14,6 +14,7 @@ import (
 	"github.com/onflow/flow-evm-gateway/config"
 	ethTypes "github.com/onflow/flow-evm-gateway/eth/types"
 	"github.com/onflow/flow-evm-gateway/models"
+	errs "github.com/onflow/flow-evm-gateway/models/errors"
 	"github.com/onflow/flow-evm-gateway/services/logs"
 	"github.com/onflow/flow-evm-gateway/storage"
 )
@@ -92,6 +93,10 @@ func (s *StreamAPI) NewPendingTransactions(ctx context.Context, fullTx *bool) (*
 
 // Logs creates a subscription that fires for all new log that match the given filter criteria.
 func (s *StreamAPI) Logs(ctx context.Context, criteria filters.FilterCriteria) (*rpc.Subscription, error) {
+	if !logs.ValidCriteriaLimits(criteria) {
+		return nil, errs.ErrExceedLogQueryLimit
+	}
+
 	return newSubscription(
 		ctx,
 		s.logger,

models/errors/errors.go

@@ -16,6 +16,7 @@ var (
 	ErrEndpointNotSupported = errors.New("endpoint is not supported")
 	ErrRateLimit            = errors.New("limit of requests per second reached")
 	ErrIndexOnlyMode        = errors.New("transaction submission not allowed in index-only mode")
+	ErrExceedLogQueryLimit  = errors.New("exceed max addresses or topics per search position")
 
 	// General errors
 

services/logs/filter.go

@@ -11,6 +11,8 @@ import (
 	"github.com/onflow/flow-evm-gateway/storage"
 )
 
+const LogQueryLimit = 1000
+
 // RangeFilter matches all the indexed logs within the range defined as
 // start and end block height. The start must be strictly smaller or equal than end value.
 type RangeFilter struct {
@@ -24,6 +26,10 @@ func NewRangeFilter(
 	criteria filters.FilterCriteria,
 	receipts storage.ReceiptIndexer,
 ) (*RangeFilter, error) {
+	if !ValidCriteriaLimits(criteria) {
+		return nil, errs.ErrExceedLogQueryLimit
+	}
+
 	// make sure that beginning number is not bigger than end
 	if start > end {
 		return nil, fmt.Errorf(
@@ -100,6 +106,10 @@ func NewIDFilter(
 	blocks storage.BlockIndexer,
 	receipts storage.ReceiptIndexer,
 ) (*IDFilter, error) {
+	if !ValidCriteriaLimits(criteria) {
+		return nil, errs.ErrExceedLogQueryLimit
+	}
+
 	if criteria.BlockHash == nil {
 		return nil, fmt.Errorf("filter criteria should have a non-nil block hash")
 	}
@@ -161,6 +171,20 @@ func ExactMatch(log *gethTypes.Log, criteria filters.FilterCriteria) bool {
 	return slices.Contains(criteria.Addresses, log.Address)
 }
 
+func ValidCriteriaLimits(criteria filters.FilterCriteria) bool {
+	if len(criteria.Addresses) > LogQueryLimit {
+		return false
+	}
+
+	for _, topics := range criteria.Topics {
+		if len(topics) > LogQueryLimit {
+			return false
+		}
+	}
+
+	return true
+}
+
 // bloomMatch takes a bloom value and tests if the addresses and topics provided pass the bloom filter.
 // This acts as a fast probabilistic test that might produce false-positives but not false-negatives.
 // If true is returned we should further check against the exactMatch to really make sure the log is matched.

tests/web3js/eth_filter_endpoints_test.js

@@ -75,7 +75,7 @@ describe('eth_newFilter', async () => {
         let response = await helpers.callRPCMethod('eth_newFilter', [blockRangeFilter])
         assert.equal(response.status, 200)
         assert.isDefined(response.body.error)
-        assert.equal(response.body.error.message, 'invalid argument 0: exceed max addresses')
+        assert.equal(response.body.error.message, 'exceed max addresses or topics per search position')
 
         let blockHashFilter = {
             blockHash: latestBlock.hash,
@@ -86,7 +86,7 @@ describe('eth_newFilter', async () => {
         response = await helpers.callRPCMethod('eth_newFilter', [blockHashFilter])
         assert.equal(response.status, 200)
         assert.isDefined(response.body.error)
-        assert.equal(response.body.error.message, 'invalid argument 0: exceed max addresses')
+        assert.equal(response.body.error.message, 'exceed max addresses or topics per search position')
     })
 
     it('should validate max number of sub-topics', async () => {

tests/web3js/eth_logs_filtering_test.js

@@ -252,7 +252,7 @@ it('validates max number of allowed addresses', async () => {
     let response = await helpers.callRPCMethod('eth_getLogs', [blockRangeFilter])
     assert.equal(response.status, 200)
     assert.isDefined(response.body.error)
-    assert.equal(response.body.error.message, 'invalid argument 0: exceed max addresses')
+    assert.equal(response.body.error.message, 'exceed max addresses or topics per search position')
 
     let blockHashFilter = {
         blockHash: latestBlock.hash,
@@ -263,7 +263,7 @@ it('validates max number of allowed addresses', async () => {
     response = await helpers.callRPCMethod('eth_getLogs', [blockHashFilter])
     assert.equal(response.status, 200)
     assert.isDefined(response.body.error)
-    assert.equal(response.body.error.message, 'invalid argument 0: exceed max addresses')
+    assert.equal(response.body.error.message, 'exceed max addresses or topics per search position')
 })
 
 it('validates max number of allowed sub-topics', async () => {

tests/web3js/eth_streaming_filters_test.js

@@ -254,7 +254,7 @@ it('should validate max number of addresses', async () => {
     } catch (err) {
         assert.equal(
             err.innerError.message,
-            'invalid argument 1: exceed max addresses'
+            'exceed max addresses or topics per search position'
         )
     }
 
@@ -270,7 +270,7 @@ it('should validate max number of addresses', async () => {
     } catch (err) {
         assert.equal(
             err.innerError.message,
-            'invalid argument 1: exceed max addresses'
+            'exceed max addresses or topics per search position'
         )
     }