fix(robustness): guard malformed RPC error JSON + send single-flight (audit #7-8)
- rpc_client::callRaw: a daemon error object is no longer assumed to carry a string "message" — a malformed error now yields a clean "RPC error: <dump>" instead of throwing a json type-exception from .get<std::string>(). - sendTransaction (full-node): add a single-flight guard so a rapid double-click can't issue two z_sendmany before the first returns its opid. The lite path already guarded this; the send form guards it in the UI, but the controller entry point now does too. (#9 from the audit was mostly false positives on verification — all popen sites already null-check and the xmrig download FILE* path has no throwing calls. The payment-URI checksum idea was dropped: the send flow already checksum-validates the recipient before broadcasting, and tightening the parser would reject the placeholder addresses the existing test relies on; added a comment noting this is format-only by design.) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
@@ -2241,6 +2241,15 @@ void App::sendTransaction(const std::string& from, const std::string& to,
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Single-flight guard: a rapid double-click (or any second caller) must not issue two
|
||||||
|
// z_sendmany calls before the first returns its opid. The send form already guards this in the
|
||||||
|
// UI, but the controller entry point must not depend on that. (send_submissions_in_flight_ is
|
||||||
|
// main-thread only: ++ here, -- in the worker's main-thread result callback.)
|
||||||
|
if (send_submissions_in_flight_ > 0) {
|
||||||
|
if (callback) callback(false, "A transaction is already being submitted — please wait.");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
// Check that we have the spending key for the from address
|
// Check that we have the spending key for the from address
|
||||||
if (!from.empty() && from[0] == 'z') {
|
if (!from.empty() && from[0] == 'z') {
|
||||||
bool spendable = false;
|
bool spendable = false;
|
||||||
|
|||||||
@@ -470,7 +470,14 @@ std::string RPCClient::callRaw(const std::string& method, const json& params)
|
|||||||
// Parse with ordered_json to preserve the daemon's original key order
|
// Parse with ordered_json to preserve the daemon's original key order
|
||||||
nlohmann::ordered_json oj = nlohmann::ordered_json::parse(response_data);
|
nlohmann::ordered_json oj = nlohmann::ordered_json::parse(response_data);
|
||||||
if (oj.contains("error") && !oj["error"].is_null()) {
|
if (oj.contains("error") && !oj["error"].is_null()) {
|
||||||
std::string err_msg = oj["error"]["message"].get<std::string>();
|
// A daemon error object normally has a string "message", but don't assume it — a malformed
|
||||||
|
// error (missing/non-string message) must yield a clean RPC error, not a json type-exception.
|
||||||
|
const auto& err = oj["error"];
|
||||||
|
std::string err_msg;
|
||||||
|
if (err.is_object() && err.contains("message") && err["message"].is_string())
|
||||||
|
err_msg = err["message"].get<std::string>();
|
||||||
|
else
|
||||||
|
err_msg = err.dump();
|
||||||
throw std::runtime_error("RPC error: " + err_msg);
|
throw std::runtime_error("RPC error: " + err_msg);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -115,7 +115,9 @@ PaymentURI parsePaymentURI(const std::string& uri)
|
|||||||
return result;
|
return result;
|
||||||
}
|
}
|
||||||
|
|
||||||
// Basic address format check
|
// Basic address format check. NOTE: this is format-only by design — the send flow
|
||||||
|
// checksum-validates the recipient (isValidBase58Check / shielded check) before broadcasting,
|
||||||
|
// so an invalid-checksum address parsed here can never actually be sent to.
|
||||||
bool validFormat = false;
|
bool validFormat = false;
|
||||||
|
|
||||||
// z-address: starts with 'zs' and is 78+ chars
|
// z-address: starts with 'zs' and is 78+ chars
|
||||||
|
|||||||
Reference in New Issue
Block a user