fix(api): add class loading whitelist and constant call concurrency limit

Barbatos · Barbatos · commit 303e774a8cf0 · 2026-04-02T09:39:11.000+08:00
- RateLimiterServlet: validate adapter class name against ALLOWED_ADAPTERS
  whitelist before Class.forName to prevent arbitrary class loading
- Wallet.triggerConstantContract: add Semaphore (default 8 concurrent)
  with tryAcquire/release to limit constant call parallelism and
  mitigate free-computation DoS. Original logic moved to
  doTriggerConstantContract()
- New config: vm.maxConcurrentConstantCalls
diff --git a/framework/src/main/java/org/tron/core/services/http/RateLimiterServlet.java b/framework/src/main/java/org/tron/core/services/http/RateLimiterServlet.java
@@ -4,6 +4,7 @@
 import io.prometheus.client.Histogram;
 import java.io.IOException;
 import java.lang.reflect.Constructor;
+import java.util.Set;
 import javax.annotation.PostConstruct;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServlet;
@@ -32,6 +33,12 @@
 public abstract class RateLimiterServlet extends HttpServlet {
   private static final String KEY_PREFIX_HTTP = "http_";
   private static final String ADAPTER_PREFIX = "org.tron.core.services.ratelimiter.adapter.";
+  private static final Set<String> ALLOWED_ADAPTERS = Set.of(
+      "GlobalPreemptibleAdapter",
+      "QpsRateLimiterAdapter",
+      "IPQPSRateLimiterAdapter",
+      "DefaultBaseQqsAdapter"
+  );
 
   @Autowired
   private RateLimiterContainer container;
@@ -49,6 +56,10 @@ private void addRateContainer() {
       try {
         cName = item.getStrategy();
         params = item.getParams();
+        if (!ALLOWED_ADAPTERS.contains(cName)) {
+          throw new IllegalArgumentException(
+              "Unknown rate limiter adapter: " + cName);
+        }
         // add the specific rate limiter strategy of servlet.
         Class<?> c = Class.forName(ADAPTER_PREFIX + cName);
         Constructor constructor;
diff --git a/framework/src/test/java/org/tron/core/services/http/RateLimiterWhitelistTest.java b/framework/src/test/java/org/tron/core/services/http/RateLimiterWhitelistTest.java
@@ -0,0 +1,35 @@
+package org.tron.core.services.http;
+
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+
+import java.lang.reflect.Field;
+import java.util.Set;
+import org.junit.Test;
+
+public class RateLimiterWhitelistTest {
+
+  @SuppressWarnings("unchecked")
+  private Set<String> getAllowedAdapters() throws Exception {
+    Field field = RateLimiterServlet.class
+        .getDeclaredField("ALLOWED_ADAPTERS");
+    field.setAccessible(true);
+    return (Set<String>) field.get(null);
+  }
+
+  @Test
+  public void testAllowedAdapters() throws Exception {
+    Set<String> allowed = getAllowedAdapters();
+    assertTrue(allowed.contains("GlobalPreemptibleAdapter"));
+    assertTrue(allowed.contains("QpsRateLimiterAdapter"));
+    assertTrue(allowed.contains("IPQPSRateLimiterAdapter"));
+    assertTrue(allowed.contains("DefaultBaseQqsAdapter"));
+  }
+
+  @Test
+  public void testUnknownAdapterBlocked() throws Exception {
+    Set<String> allowed = getAllowedAdapters();
+    assertFalse(allowed.contains("EvilAdapter"));
+    assertFalse(allowed.contains("java.lang.Runtime"));
+  }
+}
