rpc: add method name length limit #31711
Merged
+84
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
We control which RPC methods are registered in Geth. I don't see the practical gain from including this PR. |
Even though Geth only registers a fixed set of RPC methods, the error handler currently echoes the entire (unknown) method name back to the caller. An attacker can exploit this by sending a request whose method field is arbitrarily long; Geth will then include that same string verbatim in the error payload. The result is roughly a 2 × bandwidth amplification (request bytes + reflected bytes) that can be repeated at scale to waste network and CPU resources. Returning a constant error message—or at least truncating the reflected method name—would close this vector with virtually no downside. |
jakub-freebit
pushed a commit
to fblch/go-ethereum
that referenced
this pull request
Jul 3, 2025
This change adds a limit for RPC method names to prevent potential abuse where large method names could lead to large response sizes. The limit is enforced in: - handleCall for regular RPC method calls - handleSubscribe for subscription method calls Added tests in websocket_test.go to verify the length limit functionality for both regular method calls and subscriptions. --------- Co-authored-by: Felix Lange <[email protected]>
howjmay
pushed a commit
to iotaledger/go-ethereum
that referenced
this pull request
Aug 27, 2025
This change adds a limit for RPC method names to prevent potential abuse where large method names could lead to large response sizes. The limit is enforced in: - handleCall for regular RPC method calls - handleSubscribe for subscription method calls Added tests in websocket_test.go to verify the length limit functionality for both regular method calls and subscriptions. --------- Co-authored-by: Felix Lange <[email protected]>
gzliudan
pushed a commit
to gzliudan/XDPoSChain
that referenced
this pull request
Sep 1, 2025
This change adds a limit for RPC method names to prevent potential abuse where large method names could lead to large response sizes. The limit is enforced in: - handleCall for regular RPC method calls - handleSubscribe for subscription method calls Added tests in websocket_test.go to verify the length limit functionality for both regular method calls and subscriptions. --------- Co-authored-by: Felix Lange <[email protected]>
19 tasks
gzliudan
added a commit
to XinFinOrg/XDPoSChain
that referenced
this pull request
Sep 3, 2025
This change adds a limit for RPC method names to prevent potential abuse where large method names could lead to large response sizes. The limit is enforced in: - handleCall for regular RPC method calls - handleSubscribe for subscription method calls Added tests in websocket_test.go to verify the length limit functionality for both regular method calls and subscriptions. --------- Co-authored-by: Matus Kysel <[email protected]> Co-authored-by: Felix Lange <[email protected]>
gballet
pushed a commit
to gballet/go-ethereum
that referenced
this pull request
Sep 11, 2025
This change adds a limit for RPC method names to prevent potential abuse where large method names could lead to large response sizes. The limit is enforced in: - handleCall for regular RPC method calls - handleSubscribe for subscription method calls Added tests in websocket_test.go to verify the length limit functionality for both regular method calls and subscriptions. --------- Co-authored-by: Felix Lange <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
rpc: add method name length limit
This change adds a limit of 256 characters for RPC method names to prevent potential abuse where large method names could lead to large response sizes.
The limit is enforced in:
Added tests in websocket_test.go to verify the length limit functionality for both regular method calls and subscriptions.