fix (security): filtered calls should not enter the tx pool.

e46d711b · Éloïs · 77a8d0bb · e46d711b · e46d711b · e46d711b
Commit e46d711b authored 3 years ago by Éloïs
--- a/runtime/common/src/apis.rs
+++ b/runtime/common/src/apis.rs
@@ -129,6 +129,11 @@ macro_rules! runtime_apis {
 					tx: <Block as BlockT>::Extrinsic,
 					block_hash: <Block as BlockT>::Hash,
 				) -> TransactionValidity {
+					// Filtered calls should not enter the tx pool.
+					if !<Runtime as frame_system::Config>::BaseCallFilter::contains(&tx.function)
+					{
+						return sp_runtime::transaction_validity::InvalidTransaction::Call.into();
+					}
 					Executive::validate_transaction(source, tx, block_hash)
 				}
 			}

--- a/runtime/g1/src/lib.rs
+++ b/runtime/g1/src/lib.rs
@@ -41,6 +41,7 @@ pub use sp_runtime::BuildStorage;
 pub use sp_runtime::{KeyTypeId, Perbill, Permill};
 use common_runtime::IdtyNameValidatorImpl;
+use frame_support::traits::Contains;
 use frame_system::EnsureRoot;
 use pallet_grandpa::fg_primitives;
 use pallet_grandpa::{AuthorityId as GrandpaId, AuthorityList as GrandpaAuthorityList};
@@ -121,7 +122,7 @@ pub type Executive = frame_executive::Executive<
 >;
 pub struct BaseCallFilter;
-impl frame_support::traits::Contains<Call> for BaseCallFilter {
+impl Contains<Call> for BaseCallFilter {
    fn contains(call: &Call) -> bool {
        !matches!(
            call,

--- a/runtime/gdev/src/lib.rs
+++ b/runtime/gdev/src/lib.rs
@@ -41,6 +41,7 @@ pub use sp_runtime::BuildStorage;
 pub use sp_runtime::{KeyTypeId, Perbill, Permill};
 use common_runtime::IdtyNameValidatorImpl;
+use frame_support::traits::Contains;
 use frame_system::EnsureRoot;
 use pallet_grandpa::fg_primitives;
 use pallet_grandpa::{AuthorityId as GrandpaId, AuthorityList as GrandpaAuthorityList};
@@ -123,7 +124,7 @@ pub type Executive = frame_executive::Executive<
 >;
 pub struct BaseCallFilter;
-impl frame_support::traits::Contains<Call> for BaseCallFilter {
+impl Contains<Call> for BaseCallFilter {
    fn contains(call: &Call) -> bool {
        !matches!(
            call,

--- a/runtime/gtest/src/lib.rs
+++ b/runtime/gtest/src/lib.rs
@@ -41,6 +41,7 @@ pub use sp_runtime::BuildStorage;
 pub use sp_runtime::{KeyTypeId, Perbill, Permill};
 use common_runtime::IdtyNameValidatorImpl;
+use frame_support::traits::Contains;
 use frame_system::EnsureRoot;
 use pallet_grandpa::fg_primitives;
 use pallet_grandpa::{AuthorityId as GrandpaId, AuthorityList as GrandpaAuthorityList};
@@ -122,7 +123,7 @@ pub type Executive = frame_executive::Executive<
 >;
 pub struct BaseCallFilter;
-impl frame_support::traits::Contains<Call> for BaseCallFilter {
+impl Contains<Call> for BaseCallFilter {
    fn contains(call: &Call) -> bool {
        !matches!(
            call,