Enforce content-length validation on sender and size limits on payjoin-cli

Author: GideonBature

Cargo-minimal.lock

@@ -2569,6 +2569,7 @@ dependencies = [
  "hyper",
  "hyper-rustls",
  "hyper-util",
+ "log",
  "nix",
  "payjoin",
  "payjoin-test-utils",
@@ -2577,6 +2578,7 @@ dependencies = [
  "rcgen",
  "reqwest",
  "rusqlite",
+ "rustls 0.22.4",
  "serde",
  "serde_json",
  "sled",
@@ -3155,6 +3157,7 @@ dependencies = [
  "base64 0.22.1",
  "bytes",
  "futures-core",
+ "futures-util",
  "http",
  "http-body",
  "http-body-util",
@@ -3175,12 +3178,14 @@ dependencies = [
  "sync_wrapper",
  "tokio",
  "tokio-rustls",
+ "tokio-util",
  "tower",
  "tower-http",
  "tower-service",
  "url",
  "wasm-bindgen",
  "wasm-bindgen-futures",
+ "wasm-streams",
  "web-sys",
  "webpki-roots 1.0.2",
 ]
@@ -3287,6 +3292,20 @@ dependencies = [
  "sct",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.22.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432"
+dependencies = [
+ "log",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki 0.102.8",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "rustls"
 version = "0.23.31"
@@ -3344,6 +3363,17 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "rustls-webpki"
+version = "0.102.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
+dependencies = [
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
 [[package]]
 name = "rustls-webpki"
 version = "0.103.4"
@@ -4682,12 +4712,13 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.43"
+version = "0.4.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61e9300f63a621e96ed275155c108eb6f843b6a26d053f122ab69724559dc8ed"
+checksum = "555d470ec0bc3bb57890405e5d4322cc9ea83cebb085523ced7be4144dac1e61"
 dependencies = [
  "cfg-if",
  "js-sys",
+ "once_cell",
  "wasm-bindgen",
  "web-sys",
 ]
@@ -4724,11 +4755,24 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "wasm-streams"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15053d8d85c7eccdbefef60f06769760a563c7f0a9d6902a13d35c7800b0ad65"
+dependencies = [
+ "futures-util",
+ "js-sys",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+]
+
 [[package]]
 name = "web-sys"
-version = "0.3.70"
+version = "0.3.77"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26fdeaafd9bd129f65e7c031593c24d62186301e0c72c8978fa1678be7d532c0"
+checksum = "33b6dd2ef9186f1f2072e409e99cd22a975331a6b3591b12c764e0e55c60d5d2"
 dependencies = [
  "js-sys",
  "wasm-bindgen",

Cargo-recent.lock

@@ -2569,6 +2569,7 @@ dependencies = [
  "hyper",
  "hyper-rustls",
  "hyper-util",
+ "log",
  "nix",
  "payjoin",
  "payjoin-test-utils",
@@ -2577,6 +2578,7 @@ dependencies = [
  "rcgen",
  "reqwest",
  "rusqlite",
+ "rustls 0.22.4",
  "serde",
  "serde_json",
  "sled",
@@ -3155,6 +3157,7 @@ dependencies = [
  "base64 0.22.1",
  "bytes",
  "futures-core",
+ "futures-util",
  "http",
  "http-body",
  "http-body-util",
@@ -3175,12 +3178,14 @@ dependencies = [
  "sync_wrapper",
  "tokio",
  "tokio-rustls",
+ "tokio-util",
  "tower",
  "tower-http",
  "tower-service",
  "url",
  "wasm-bindgen",
  "wasm-bindgen-futures",
+ "wasm-streams",
  "web-sys",
  "webpki-roots 1.0.2",
 ]
@@ -3287,6 +3292,20 @@ dependencies = [
  "sct",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.22.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432"
+dependencies = [
+ "log",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki 0.102.8",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "rustls"
 version = "0.23.31"
@@ -3344,6 +3363,17 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "rustls-webpki"
+version = "0.102.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
+dependencies = [
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
 [[package]]
 name = "rustls-webpki"
 version = "0.103.4"
@@ -4682,12 +4712,13 @@ dependencies = [
 
 [[package]]
 name = "wasm-bindgen-futures"
-version = "0.4.43"
+version = "0.4.50"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "61e9300f63a621e96ed275155c108eb6f843b6a26d053f122ab69724559dc8ed"
+checksum = "555d470ec0bc3bb57890405e5d4322cc9ea83cebb085523ced7be4144dac1e61"
 dependencies = [
  "cfg-if",
  "js-sys",
+ "once_cell",
  "wasm-bindgen",
  "web-sys",
 ]
@@ -4724,11 +4755,24 @@ dependencies = [
  "unicode-ident",
 ]
 
+[[package]]
+name = "wasm-streams"
+version = "0.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "15053d8d85c7eccdbefef60f06769760a563c7f0a9d6902a13d35c7800b0ad65"
+dependencies = [
+ "futures-util",
+ "js-sys",
+ "wasm-bindgen",
+ "wasm-bindgen-futures",
+ "web-sys",
+]
+
 [[package]]
 name = "web-sys"
-version = "0.3.70"
+version = "0.3.77"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "26fdeaafd9bd129f65e7c031593c24d62186301e0c72c8978fa1678be7d532c0"
+checksum = "33b6dd2ef9186f1f2072e409e99cd22a975331a6b3591b12c764e0e55c60d5d2"
 dependencies = [
  "js-sys",
  "wasm-bindgen",

payjoin-cli/Cargo.toml

@@ -23,7 +23,7 @@ default = ["v2"]
 native-certs = ["reqwest/rustls-tls-native-roots"]
 _manual-tls = ["rcgen", "reqwest/rustls-tls", "hyper-rustls", "payjoin/_manual-tls", "tokio-rustls"]
 v1 = ["payjoin/v1","hyper", "hyper-util", "http-body-util"]
-v2 = ["payjoin/v2", "payjoin/io"]
+v2 = ["payjoin/v2", "payjoin/io", "hyper"]
 
 [dependencies]
 anyhow = "1.0.99"
@@ -40,7 +40,7 @@ payjoin = { version = "0.24.0", default-features = false }
 r2d2 = "0.8.10"
 r2d2_sqlite = "0.22.0"
 rcgen = { version = "0.14.3", optional = true }
-reqwest = { version = "0.12.23", default-features = false, features = ["json", "rustls-tls"] }
+reqwest = { version = "0.12.23", default-features = false, features = ["json", "rustls-tls", "stream"] }
 rusqlite = { version = "0.29.0", features = ["bundled"] }
 serde_json = "1.0.142"
 serde = { version = "1.0.219", features = ["derive"] }
@@ -51,6 +51,8 @@ url = { version = "2.5.4", features = ["serde"] }
 dirs = "6.0.0"
 tracing = "0.1.41"
 tracing-subscriber = { version = "0.3.19", features = ["env-filter"] }
+rustls = { version = "0.22.4", optional = true }
+log = "0.4.27"
 
 [dev-dependencies]
 nix = { version = "0.30.1", features = ["aio", "process", "signal"] }

payjoin-cli/src/app/mod.rs

@@ -1,6 +1,12 @@
 use std::collections::HashMap;
 
+#[cfg(feature = "v1")]
+use anyhow::anyhow;
 use anyhow::Result;
+#[cfg(feature = "v1")]
+use futures::{Stream, StreamExt};
+#[cfg(feature = "v1")]
+use hyper::body::Bytes;
 use payjoin::bitcoin::psbt::Psbt;
 use payjoin::bitcoin::{self, Address, Amount, FeeRate};
 use tokio::signal;
@@ -82,3 +88,22 @@ async fn handle_interrupt(tx: watch::Sender<()>) {
     }
     let _ = tx.send(());
 }
+
+#[cfg(feature = "v1")]
+pub async fn read_limited_body<S, E>(mut stream: S, expected_len: usize) -> Result<Vec<u8>>
+where
+    S: Stream<Item = Result<Bytes, E>> + Unpin,
+    E: std::error::Error + Send + Sync + 'static,
+{
+    let mut body = Vec::with_capacity(expected_len);
+
+    while let Some(chunk) = stream.next().await {
+        let chunk = chunk.map_err(|e| anyhow!("Error reading body chunk: {}", e))?;
+        if body.len() + chunk.len() > expected_len {
+            return Err(anyhow!("Body exceeds expected size of {expected_len} bytes"));
+        }
+        body.extend_from_slice(&chunk);
+    }
+
+    Ok(body)
+}

payjoin-cli/src/app/v1.rs

@@ -23,9 +23,14 @@ use tokio::sync::watch;
 use super::config::Config;
 use super::wallet::BitcoindWallet;
 use super::App as AppTrait;
-use crate::app::{handle_interrupt, http_agent};
+use crate::app::{handle_interrupt, http_agent, read_limited_body};
 use crate::db::Database;
 
+/// 4M block size limit with base64 encoding overhead => maximum reasonable size of content-length
+/// 4_000_000 * 4 / 3 fits in u32
+const MAX_CONTENT_LENGTH: usize = 4_000_000 * 4 / 3;
+
+#[derive(Clone)]
 struct Headers<'a>(&'a hyper::HeaderMap);
 impl payjoin::receive::v1::Headers for Headers<'_> {
     fn get_header(&self, key: &str) -> Option<&str> {
@@ -86,8 +91,22 @@ impl AppTrait for App {
             "Sent fallback transaction hex: {:#}",
             payjoin::bitcoin::consensus::encode::serialize_hex(&fallback_tx)
         );
-        let psbt = ctx.process_response(&response.bytes().await?).map_err(|e| {
-            tracing::debug!("Error processing response: {e:?}");
+
+        let expected_length = response
+            .headers()
+            .get("Content-Length")
+            .and_then(|val| val.to_str().ok())
+            .and_then(|s| s.parse::<usize>().ok())
+            .unwrap_or(MAX_CONTENT_LENGTH);
+
+        if expected_length > MAX_CONTENT_LENGTH {
+            return Err(anyhow!("Response body is too large: {} bytes", expected_length));
+        }
+
+        let body = read_limited_body(response.bytes_stream(), MAX_CONTENT_LENGTH).await?;
+
+        let psbt = ctx.process_response(&body).map_err(|e| {
+            log::debug!("Error processing response: {e:?}");
             anyhow!("Failed to process response {e}")
         })?;
 
@@ -295,12 +314,26 @@ impl App {
     ) -> Result<Response<BoxBody<Bytes, hyper::Error>>, ReplyableError> {
         let (parts, body) = req.into_parts();
         let headers = Headers(&parts.headers);
-        let query_string = parts.uri.query().unwrap_or("");
-        let body = body
-            .collect()
+
+        let expected_length = headers
+            .0
+            .get("Content-Length")
+            .and_then(|val| val.to_str().ok())
+            .and_then(|s| s.parse::<usize>().ok())
+            .unwrap_or(MAX_CONTENT_LENGTH);
+
+        if expected_length > MAX_CONTENT_LENGTH {
+            log::error!("Error: Content length exceeds max allowed");
+            return Err(Implementation(ImplementationError::from(
+                anyhow!("Content length too large: {expected_length}").into_boxed_dyn_error(),
+            )));
+        }
+
+        let body = read_limited_body(body.into_data_stream(), expected_length)
             .await
-            .map_err(|e| Implementation(ImplementationError::new(e)))?
-            .to_bytes();
+            .map_err(|e| Implementation(ImplementationError::from(e.into_boxed_dyn_error())))?;
+
+        let query_string = parts.uri.query().unwrap_or("");
         let proposal = UncheckedOriginalPayload::from_request(&body, query_string, headers)?;
 
         let payjoin_proposal = self.process_v1_proposal(proposal)?;

payjoin-cli/src/app/v2/mod.rs

@@ -71,7 +71,7 @@ impl AppTrait for App {
                 let psbt = self.create_original_psbt(&address, amount, fee_rate)?;
                 let (req, ctx) = payjoin::send::v1::SenderBuilder::from_parts(
                     psbt,
-                    pj_param,
+                    &PjParam::V1(pj_param.clone()),
                     &address,
                     Some(amount),
                 )