Merge pull request #260 from hermeznetwork/feature/api-fee-check

Check feeAmount overflow in API
2026-02-07 11:26:44 +01:00 · 2020-11-05 14:03:20 +01:00
parent 9ab50135d7 f90f14d0c1
commit 651572cbf3
2 changed files with 16 additions and 2 deletions
--- a/api/txspool.go
+++ b/api/txspool.go
@@ -163,6 +163,11 @@ func verifyPoolL2TxWrite(txw *l2db.PoolL2TxWrite) error {
 	if err != nil {
 		return err
 	}
+	// Validate feeAmount
+	_, err = common.CalcFeeAmount(poolTx.Amount, poolTx.Fee)
+	if err != nil {
+		return err
+	}
 	// Check signature
 	if !poolTx.VerifySignature(account.PublicKey) {
 		return errors.New("wrong signature")
--- a/api/txspool_test.go
+++ b/api/txspool_test.go
@@ -205,14 +205,23 @@ func TestPoolTxs(t *testing.T) {
 		assert.Equal(t, tx.TxID, fetchedTxID)
 	}
 	// 400
-	// Wrong signature
+	// Wrong fee
 	badTx := tc.poolTxsToSend[0]
-	badTx.FromIdx = "hez:foo:1000"
+	badTx.Amount = "99999999999999999999999"
+	badTx.Fee = 255
 	jsonTxBytes, err := json.Marshal(badTx)
 	assert.NoError(t, err)
 	jsonTxReader := bytes.NewReader(jsonTxBytes)
 	err = doBadReq("POST", endpoint, jsonTxReader, 400)
 	assert.NoError(t, err)
+	// Wrong signature
+	badTx = tc.poolTxsToSend[0]
+	badTx.FromIdx = "hez:foo:1000"
+	jsonTxBytes, err = json.Marshal(badTx)
+	assert.NoError(t, err)
+	jsonTxReader = bytes.NewReader(jsonTxBytes)
+	err = doBadReq("POST", endpoint, jsonTxReader, 400)
+	assert.NoError(t, err)
 	// Wrong to
 	badTx = tc.poolTxsToSend[0]
 	ethAddr := "hez:0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF"