feat: validate get clarity metadata key format

Author: hugoclrd

clarity/src/vm/database/clarity_db.rs

@@ -76,6 +76,68 @@ pub enum StoreType {
     PoxUnlockHeight = 0x15,
 }
 
+impl TryFrom<&str> for StoreType {
+    type Error = String;
+
+    fn try_from(value: &str) -> core::result::Result<Self, Self::Error> {
+        use self::StoreType::*;
+
+        let hex_value = u8::from_str_radix(value, 10).map_err(|e| e.to_string())?;
+        match hex_value {
+            0x00 => Ok(DataMap),
+            0x01 => Ok(Variable),
+            0x02 => Ok(FungibleToken),
+            0x03 => Ok(CirculatingSupply),
+            0x04 => Ok(NonFungibleToken),
+            0x05 => Ok(DataMapMeta),
+            0x06 => Ok(VariableMeta),
+            0x07 => Ok(FungibleTokenMeta),
+            0x08 => Ok(NonFungibleTokenMeta),
+            0x09 => Ok(Contract),
+            0x10 => Ok(SimmedBlock),
+            0x11 => Ok(SimmedBlockHeight),
+            0x12 => Ok(Nonce),
+            0x13 => Ok(STXBalance),
+            0x14 => Ok(PoxSTXLockup),
+            0x15 => Ok(PoxUnlockHeight),
+            _ => Err("Invalid StoreType".into()),
+        }
+    }
+}
+
+pub enum ContractDataVarName {
+    Contract,
+    ContractSize,
+    ContractSrc,
+    ContractDataSize,
+}
+
+impl ContractDataVarName {
+    pub fn as_str(&self) -> &str {
+        match self {
+            Self::Contract => "contract",
+            Self::ContractSize => "contract-size",
+            Self::ContractSrc => "contract-src",
+            Self::ContractDataSize => "contract-data-size",
+        }
+    }
+}
+
+impl TryFrom<&str> for ContractDataVarName {
+    type Error = String;
+
+    fn try_from(value: &str) -> core::result::Result<Self, Self::Error> {
+        use self::ContractDataVarName::*;
+        match value {
+            "contract" => Ok(Contract),
+            "contract-size" => Ok(ContractSize),
+            "contract-src" => Ok(ContractSrc),
+            "contract-data-size" => Ok(ContractDataSize),
+            _ => Err("Invalid ContractDataVarName".into()),
+        }
+    }
+}
+
 pub struct ClarityDatabase<'a> {
     pub store: RollbackWrapper<'a>,
     headers_db: &'a dyn HeadersDB,
@@ -576,12 +638,18 @@ impl<'a> ClarityDatabase<'a> {
         self.store
             .prepare_for_contract_metadata(contract_identifier, hash)?;
         // insert contract-size
-        let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract-size");
+        let key = ClarityDatabase::make_metadata_key(
+            StoreType::Contract,
+            ContractDataVarName::ContractSize.as_str(),
+        );
         self.insert_metadata(contract_identifier, &key, &(contract_content.len() as u64))?;
 
         // insert contract-src
         if STORE_CONTRACT_SRC_INTERFACE {
-            let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract-src");
+            let key = ClarityDatabase::make_metadata_key(
+                StoreType::Contract,
+                ContractDataVarName::ContractSrc.as_str(),
+            );
             self.insert_metadata(contract_identifier, &key, &contract_content.to_string())?;
         }
         Ok(())
@@ -591,7 +659,10 @@ impl<'a> ClarityDatabase<'a> {
         &mut self,
         contract_identifier: &QualifiedContractIdentifier,
     ) -> Option<String> {
-        let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract-src");
+        let key = ClarityDatabase::make_metadata_key(
+            StoreType::Contract,
+            ContractDataVarName::ContractSrc.as_str(),
+        );
         self.fetch_metadata(contract_identifier, &key)
             .ok()
             .flatten()
@@ -700,15 +771,21 @@ impl<'a> ClarityDatabase<'a> {
         &mut self,
         contract_identifier: &QualifiedContractIdentifier,
     ) -> Result<u64> {
-        let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract-size");
+        let key = ClarityDatabase::make_metadata_key(
+            StoreType::Contract,
+            ContractDataVarName::ContractSize.as_str(),
+        );
         let contract_size: u64 =
             self.fetch_metadata(contract_identifier, &key)?
                 .ok_or_else(|| {
                     InterpreterError::Expect(
             "Failed to read non-consensus contract metadata, even though contract exists in MARF."
         .into())
                 })?;
-        let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract-data-size");
+        let key = ClarityDatabase::make_metadata_key(
+            StoreType::Contract,
+            ContractDataVarName::ContractDataSize.as_str(),
+        );
         let data_size: u64 = self
             .fetch_metadata(contract_identifier, &key)?
             .ok_or_else(|| {
@@ -727,7 +804,10 @@ impl<'a> ClarityDatabase<'a> {
         contract_identifier: &QualifiedContractIdentifier,
         data_size: u64,
     ) -> Result<()> {
-        let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract-size");
+        let key = ClarityDatabase::make_metadata_key(
+            StoreType::Contract,
+            ContractDataVarName::ContractSize.as_str(),
+        );
         let contract_size: u64 =
             self.fetch_metadata(contract_identifier, &key)?
                 .ok_or_else(|| {
@@ -737,7 +817,10 @@ impl<'a> ClarityDatabase<'a> {
                 })?;
         contract_size.cost_overflow_add(data_size)?;
 
-        let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract-data-size");
+        let key = ClarityDatabase::make_metadata_key(
+            StoreType::Contract,
+            ContractDataVarName::ContractDataSize.as_str(),
+        );
         self.insert_metadata(contract_identifier, &key, &data_size)?;
         Ok(())
     }
@@ -747,21 +830,30 @@ impl<'a> ClarityDatabase<'a> {
         contract_identifier: &QualifiedContractIdentifier,
         contract: Contract,
     ) -> Result<()> {
-        let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract");
+        let key = ClarityDatabase::make_metadata_key(
+            StoreType::Contract,
+            ContractDataVarName::Contract.as_str(),
+        );
         self.insert_metadata(contract_identifier, &key, &contract)?;
         Ok(())
     }
 
     pub fn has_contract(&mut self, contract_identifier: &QualifiedContractIdentifier) -> bool {
-        let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract");
+        let key = ClarityDatabase::make_metadata_key(
+            StoreType::Contract,
+            ContractDataVarName::Contract.as_str(),
+        );
         self.store.has_metadata_entry(contract_identifier, &key)
     }
 
     pub fn get_contract(
         &mut self,
         contract_identifier: &QualifiedContractIdentifier,
     ) -> Result<Contract> {
-        let key = ClarityDatabase::make_metadata_key(StoreType::Contract, "contract");
+        let key = ClarityDatabase::make_metadata_key(
+            StoreType::Contract,
+            ContractDataVarName::Contract.as_str(),
+        );
         let mut data: Contract = self.fetch_metadata(contract_identifier, &key)?
             .ok_or_else(|| InterpreterError::Expect(
                 "Failed to read non-consensus contract metadata, even though contract exists in MARF."

stackslib/src/net/api/getclaritymetadata.rs

@@ -15,6 +15,8 @@
 // along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 use clarity::vm::clarity::ClarityConnection;
+use clarity::vm::database::clarity_db::ContractDataVarName;
+use clarity::vm::database::StoreType;
 use clarity::vm::representations::{CONTRACT_NAME_REGEX_STRING, STANDARD_PRINCIPAL_REGEX_STRING};
 use clarity::vm::types::QualifiedContractIdentifier;
 use clarity::vm::ContractName;
@@ -37,7 +39,7 @@ lazy_static! {
     static ref CLARITY_NAME_NO_BOUNDARIES_REGEX_STRING: String =
         "[a-zA-Z]([a-zA-Z0-9]|[-_!?+<>=/*])*|[-+=/*]|[<>]=?".into();
     static ref METADATA_KEY_REGEX_STRING: String = format!(
-        r"vm-metadata::\d+::(contract|contract-size|contract-src|contract-data-size|({}))",
+        r"vm-metadata::(?P<data_type>(\d{{1,2}}))::(?P<var_name>(contract|contract-size|contract-src|contract-data-size|({})))",
         *CLARITY_NAME_NO_BOUNDARIES_REGEX_STRING,
     );
 }
@@ -81,8 +83,6 @@ impl HttpRequest for RPCGetClarityMetadataRequestHandler {
         "/v2/clarity/metadata/:principal/:contract_name/:clarity_metadata_key"
     }
 
-    /// Try to decode this request.
-    /// There's nothing to load here, so just make sure the request is well-formed.
     fn try_parse_request(
         &mut self,
         preamble: &HttpRequestPreamble,
@@ -98,13 +98,43 @@ impl HttpRequest for RPCGetClarityMetadataRequestHandler {
 
         let contract_identifier = request::get_contract_address(captures, "address", "contract")?;
 
-        let metadata_key = if let Some(key_str) = captures.name("clarity_metadata_key") {
-            key_str.as_str().to_string()
-        } else {
-            return Err(Error::Http(
-                404,
-                "Missing `clarity_metadata_key`".to_string(),
-            ));
+        // Validate that the metadata key is well-formed. It must be of data type:
+        //   DataMapMeta (5) | VariableMeta (6) | FungibleTokenMeta (7) | NonFungibleTokenMeta (8)
+        //   or Contract (9) followed by a valid contract metadata name
+        match captures
+            .name("data_type")
+            .and_then(|data_type| StoreType::try_from(data_type.as_str()).ok())
+        {
+            Some(data_type) => match data_type {
+                StoreType::DataMapMeta
+                | StoreType::VariableMeta
+                | StoreType::FungibleTokenMeta
+                | StoreType::NonFungibleTokenMeta => {}
+                StoreType::Contract => {
+                    if captures
+                        .name("var_name")
+                        .and_then(|var_name| ContractDataVarName::try_from(var_name.as_str()).ok())
+                        .is_none()
+                    {
+                        return Err(Error::DecodeError("Invalid metadata var name".to_string()));
+                    }
+                }
+                _ => {
+                    return Err(Error::DecodeError("Invalid metadata type".to_string()));
+                }
+            },
+            None => {
+                return Err(Error::DecodeError("Invalid metadata type".to_string()));
+            }
+        }
+
+        let metadata_key = match captures.name("clarity_metadata_key") {
+            Some(key_str) => key_str.as_str().to_string(),
+            None => {
+                return Err(Error::DecodeError(
+                    "Missing `clarity_metadata_key`".to_string(),
+                ));
+            }
         };
 
         self.contract_identifier = Some(contract_identifier);

stackslib/src/net/api/tests/getclaritymarfvalue.rs

@@ -89,7 +89,7 @@ fn test_try_make_response() {
 
     let mut requests = vec![];
 
-    // query existing
+    // query existing marf value
     let request = StacksHttpRequest::new_getclaritymarf(
         addr.into(),
         TrieHash::from_key("vm::ST2DS4MSWSGJ3W9FBC6BVT0Y92S345HY8N3T6AV7R.hello-world::1::bar"),

stackslib/src/net/api/tests/getclaritymetadata.rs

@@ -26,11 +26,12 @@ use stacks_common::types::Address;
 use super::test_rpc;
 use crate::net::api::*;
 use crate::net::connection::ConnectionOptions;
+use crate::net::http::Error as HttpError;
 use crate::net::httpcore::{
     HttpPreambleExtensions, HttpRequestContentsExtensions, RPCRequestHandler, StacksHttp,
     StacksHttpRequest,
 };
-use crate::net::{ProtocolFamily, TipRequest};
+use crate::net::{Error as NetError, ProtocolFamily, TipRequest};
 
 #[test]
 fn test_try_parse_request() {
@@ -85,6 +86,76 @@ fn test_try_parse_request() {
     assert!(handler.clarity_metadata_key.is_none());
 }
 
+#[test]
+fn test_try_parse_invalid_store_type() {
+    let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), 33333);
+    let mut http = StacksHttp::new(addr.clone(), &ConnectionOptions::default());
+
+    let request = StacksHttpRequest::new_getclaritymetadata(
+        addr.into(),
+        StacksAddress::from_string("ST2DS4MSWSGJ3W9FBC6BVT0Y92S345HY8N3T6AV7R").unwrap(),
+        "hello-world".try_into().unwrap(),
+        "vm-metadata::2::contract-size".to_string(),
+        TipRequest::SpecificTip(StacksBlockId([0x22; 32])),
+    );
+    assert_eq!(
+        request.contents().tip_request(),
+        TipRequest::SpecificTip(StacksBlockId([0x22; 32]))
+    );
+    let bytes = request.try_serialize().unwrap();
+
+    let (parsed_preamble, offset) = http.read_preamble(&bytes).unwrap();
+    let mut handler = getclaritymetadata::RPCGetClarityMetadataRequestHandler::new();
+    let parsed_request_err = http
+        .handle_try_parse_request(
+            &mut handler,
+            &parsed_preamble.expect_request(),
+            &bytes[offset..],
+        )
+        .unwrap_err();
+
+    assert_eq!(
+        parsed_request_err,
+        HttpError::DecodeError("Invalid metadata type".to_string()).into()
+    );
+    handler.restart();
+}
+
+#[test]
+fn test_try_parse_invalid_contract_metadata_var_name() {
+    let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), 33333);
+    let mut http = StacksHttp::new(addr.clone(), &ConnectionOptions::default());
+
+    let request = StacksHttpRequest::new_getclaritymetadata(
+        addr.into(),
+        StacksAddress::from_string("ST2DS4MSWSGJ3W9FBC6BVT0Y92S345HY8N3T6AV7R").unwrap(),
+        "hello-world".try_into().unwrap(),
+        "vm-metadata::9::contract-invalid-key".to_string(),
+        TipRequest::SpecificTip(StacksBlockId([0x22; 32])),
+    );
+    assert_eq!(
+        request.contents().tip_request(),
+        TipRequest::SpecificTip(StacksBlockId([0x22; 32]))
+    );
+    let bytes = request.try_serialize().unwrap();
+
+    let (parsed_preamble, offset) = http.read_preamble(&bytes).unwrap();
+    let mut handler = getclaritymetadata::RPCGetClarityMetadataRequestHandler::new();
+    let parsed_request_err = http
+        .handle_try_parse_request(
+            &mut handler,
+            &parsed_preamble.expect_request(),
+            &bytes[offset..],
+        )
+        .unwrap_err();
+
+    assert_eq!(
+        parsed_request_err,
+        HttpError::DecodeError("Invalid metadata var name".to_string()).into()
+    );
+    handler.restart();
+}
+
 #[test]
 fn test_try_parse_request_for_analysis() {
     let addr = SocketAddr::new(IpAddr::V4(Ipv4Addr::new(127, 0, 0, 1)), 33333);