From e46d711bf2a4d167ba45ab0690cd9ee9ed1ccc64 Mon Sep 17 00:00:00 2001
From: librelois <c@elo.tf>
Date: Fri, 13 May 2022 02:07:45 +0200
Subject: [PATCH] fix (security): filtered calls should not enter the tx pool.
---
runtime/common/src/apis.rs | 21 +++++++++++++--------
runtime/g1/src/lib.rs | 3 ++-
runtime/gdev/src/lib.rs | 3 ++-
runtime/gtest/src/lib.rs | 3 ++-
4 files changed, 19 insertions(+), 11 deletions(-)
diff --git a/runtime/common/src/apis.rs b/runtime/common/src/apis.rs
index 41edbb02f..e2d0ca4cd 100644
--- a/runtime/common/src/apis.rs
+++ b/runtime/common/src/apis.rs
@@ -123,15 +123,20 @@ macro_rules! runtime_apis {
}
}
- impl sp_transaction_pool::runtime_api::TaggedTransactionQueue<Block> for Runtime {
- fn validate_transaction(
- source: TransactionSource,
- tx: <Block as BlockT>::Extrinsic,
+ impl sp_transaction_pool::runtime_api::TaggedTransactionQueue<Block> for Runtime {
+ fn validate_transaction(
+ source: TransactionSource,
+ tx: <Block as BlockT>::Extrinsic,
block_hash: <Block as BlockT>::Hash,
- ) -> TransactionValidity {
- Executive::validate_transaction(source, tx, block_hash)
- }
- }
+ ) -> TransactionValidity {
+ // Filtered calls should not enter the tx pool.
+ if !<Runtime as frame_system::Config>::BaseCallFilter::contains(&tx.function)
+ {
+ return sp_runtime::transaction_validity::InvalidTransaction::Call.into();
+ }
+ Executive::validate_transaction(source, tx, block_hash)
+ }
+ }
impl sp_offchain::OffchainWorkerApi<Block> for Runtime {
fn offchain_worker(header: &<Block as BlockT>::Header) {
diff --git a/runtime/g1/src/lib.rs b/runtime/g1/src/lib.rs
index 6ab4dcb8a..2546c4f3c 100644
--- a/runtime/g1/src/lib.rs
+++ b/runtime/g1/src/lib.rs
@@ -41,6 +41,7 @@ pub use sp_runtime::BuildStorage;
pub use sp_runtime::{KeyTypeId, Perbill, Permill};
use common_runtime::IdtyNameValidatorImpl;
+use frame_support::traits::Contains;
use frame_system::EnsureRoot;
use pallet_grandpa::fg_primitives;
use pallet_grandpa::{AuthorityId as GrandpaId, AuthorityList as GrandpaAuthorityList};
@@ -121,7 +122,7 @@ pub type Executive = frame_executive::Executive<
>;
pub struct BaseCallFilter;
-impl frame_support::traits::Contains<Call> for BaseCallFilter {
+impl Contains<Call> for BaseCallFilter {
fn contains(call: &Call) -> bool {
!matches!(
call,
diff --git a/runtime/gdev/src/lib.rs b/runtime/gdev/src/lib.rs
index d064ffe75..7bc127edf 100644
--- a/runtime/gdev/src/lib.rs
+++ b/runtime/gdev/src/lib.rs
@@ -41,6 +41,7 @@ pub use sp_runtime::BuildStorage;
pub use sp_runtime::{KeyTypeId, Perbill, Permill};
use common_runtime::IdtyNameValidatorImpl;
+use frame_support::traits::Contains;
use frame_system::EnsureRoot;
use pallet_grandpa::fg_primitives;
use pallet_grandpa::{AuthorityId as GrandpaId, AuthorityList as GrandpaAuthorityList};
@@ -123,7 +124,7 @@ pub type Executive = frame_executive::Executive<
>;
pub struct BaseCallFilter;
-impl frame_support::traits::Contains<Call> for BaseCallFilter {
+impl Contains<Call> for BaseCallFilter {
fn contains(call: &Call) -> bool {
!matches!(
call,
diff --git a/runtime/gtest/src/lib.rs b/runtime/gtest/src/lib.rs
index 179d22690..be6b0723a 100644
--- a/runtime/gtest/src/lib.rs
+++ b/runtime/gtest/src/lib.rs
@@ -41,6 +41,7 @@ pub use sp_runtime::BuildStorage;
pub use sp_runtime::{KeyTypeId, Perbill, Permill};
use common_runtime::IdtyNameValidatorImpl;
+use frame_support::traits::Contains;
use frame_system::EnsureRoot;
use pallet_grandpa::fg_primitives;
use pallet_grandpa::{AuthorityId as GrandpaId, AuthorityList as GrandpaAuthorityList};
@@ -122,7 +123,7 @@ pub type Executive = frame_executive::Executive<
>;
pub struct BaseCallFilter;
-impl frame_support::traits::Contains<Call> for BaseCallFilter {
+impl Contains<Call> for BaseCallFilter {
fn contains(call: &Call) -> bool {
!matches!(
call,
--
GitLab