fix(rpc): prevent memory exhaustion attack in eth_getStorageAt by limiting storageIdx length

0xbigapple · 0xbigapple · commit 1be7ee5e13f3 · 2026-03-31T18:34:38.000+08:00
diff --git a/framework/src/main/java/org/tron/core/services/jsonrpc/TronJsonRpcImpl.java b/framework/src/main/java/org/tron/core/services/jsonrpc/TronJsonRpcImpl.java
@@ -535,6 +535,12 @@ private String call(byte[] ownerAddressByte, byte[] contractAddressByte, long va
   @Override
   public String getStorageAt(String address, String storageIdx, String blockNumOrTag)
       throws JsonRpcInvalidParamsException {
+    if (StringUtils.isBlank(storageIdx)
+        || "0x".equalsIgnoreCase(storageIdx)
+        || (storageIdx.startsWith("0x") ? storageIdx.length() > 66 : storageIdx.length() > 64)) {
+      throw new JsonRpcInvalidParamsException("invalid storage index");
+    }
+
     if (EARLIEST_STR.equalsIgnoreCase(blockNumOrTag)
         || PENDING_STR.equalsIgnoreCase(blockNumOrTag)
         || FINALIZED_STR.equalsIgnoreCase(blockNumOrTag)) {
diff --git a/framework/src/test/java/org/tron/core/jsonrpc/JsonrpcServiceTest.java b/framework/src/test/java/org/tron/core/jsonrpc/JsonrpcServiceTest.java
@@ -525,26 +525,49 @@ public void testGetStorageAt() {
     try {
       tronJsonRpc.getStorageAt("", "", "earliest");
       Assert.fail("Expected to be thrown");
+    } catch (Exception e) {
+      Assert.assertEquals("invalid storage index", e.getMessage());
+    }
+
+    try {
+      tronJsonRpc.getStorageAt("", "0", "earliest");
+      Assert.fail("Expected to be thrown");
     } catch (Exception e) {
       Assert.assertEquals("TAG [earliest | pending | finalized] not supported",
           e.getMessage());
     }
 
     try {
-      tronJsonRpc.getStorageAt("", "", "pending");
+      tronJsonRpc.getStorageAt("", "0", "pending");
       Assert.fail("Expected to be thrown");
     } catch (Exception e) {
       Assert.assertEquals("TAG [earliest | pending | finalized] not supported",
           e.getMessage());
     }
 
     try {
-      tronJsonRpc.getStorageAt("", "", "finalized");
+      tronJsonRpc.getStorageAt("", "0", "finalized");
       Assert.fail("Expected to be thrown");
     } catch (Exception e) {
       Assert.assertEquals("TAG [earliest | pending | finalized] not supported",
           e.getMessage());
     }
+
+    try {
+      tronJsonRpc.getStorageAt("",
+          "0x00000000000000000000000000000000000000000000000000000000000000000", "latest");
+      Assert.fail("Expected to be thrown");
+    } catch (Exception e) {
+      Assert.assertEquals("invalid storage index", e.getMessage());
+    }
+
+    try {
+      tronJsonRpc.getStorageAt("",
+          "00000000000000000000000000000000000000000000000000000000000000000", "latest");
+      Assert.fail("Expected to be thrown");
+    } catch (Exception e) {
+      Assert.assertEquals("invalid storage index", e.getMessage());
+    }
   }
 
   @Test
