CRE Gateway: Checks on json request id size to prevent abuse

[prashantkumar1982]

• Put a fixed size limit on json request id in gateway, to prevent abuses.
• Vault Get public key endpoint is unauthenticated, so made its fetching of cached entries efficient and cheap, to prevent potential dos.

[github-actions]

I see you updated files related to core. Please run pnpm changeset in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[patrickhuie19]

are requestIDs well formed? i'm surprised we can't lock in a known limit of the size of the request ID here

[prashantkumar1982]

Here's the spec: https://www.jsonrpc.org/specification
It just needs a unique id that could be a string.
So there's no fixed locked size.

I just think 200 is a safe enough buffer for anyone using any funky way for associating this id to their internal ids.

[patrickhuie19]

@prashantkumar1982 sure, but my understanding is the gateway isn't a domain agnostic rpc proxy. We use it for particular domains, and those domains should have our request patterns well mapped. What is that for the Vault DON? @MStreet3 do you know the max expected request.ID size for HTTP Triggers?

[prashantkumar1982]

For Vault, we don't have any restriction.
All we enforce, is that ids should be unique strings.

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[Copilot]

Pull request overview

Adds request ID length limits to mitigate abuse and refactors Vault public key handling to rely on cached responses for cheaper unauthenticated access.

Changes:

• Enforce a max length (200 chars) on JSON-RPC request IDs in the gateway and Vault handler.
• Refactor Vault PublicKeyGet to return a cached response directly (and adjust periodic cache refresh to use internal handler methods).
• Add/adjust tests for the new request ID limit and the public key caching path.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 3 comments.

File	Description
core/services/gateway/handlers/vault/handler.go	Adds request ID length validation; changes PublicKeyGet to serve cached responses directly; updates periodic cache refresh helper to return errors.
core/services/gateway/handlers/vault/handler_test.go	Updates public key test flow to seed cache via internal methods before asserting cached behavior.
core/services/gateway/gateway.go	Adds request ID length validation at the gateway layer.
core/services/gateway/gateway_test.go	Adds coverage for gateway rejection of overly long request IDs.

Comments suppressed due to low confidence (2)

core/services/gateway/handlers/vault/handler_test.go:764

• This test seeds the public key cache by calling private methods directly, but it no longer covers the cold-cache behavior for a user request (HandleJSONRPCUserMessage with MethodPublicKeyGet). Given the handler change, it would be valuable to add an assertion that the first user request still succeeds (or returns a well-defined error) when the cache is empty.

		"d6da96fe596705b32bc3a0e11cdefad77feaad79000000000000000000000000",
		"327aa349c9718cd36c877d1e90458fe1929768ad000000000000000000000000",
		"e9bf394856d73402b30e160d0e05c847796f0e29000000000000000000000000",
		"efd5bdb6c3256f04489a6ca32654d547297f48b9000000000000000000000000",

core/services/gateway/handlers/vault/handler_test.go:795

• Grammar in this comment is a bit unclear ("make HandleJSONRPCUserMessage request"). Consider rephrasing to something like "make another request via HandleJSONRPCUserMessage" for readability.

		ID:     "request_id",

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[cedric-cordenier]

Nit: maybe handle the error here and log it? I see we do a lot of logging of errors inside fetchVaultPublicKey so we can move that out maybe?

[prashantkumar1982]

I had changed signature of this to call it from tests. But later didn't use it. Reverting it back to old logging.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 4 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The magic number 200 for maximum request ID length is duplicated across multiple files (gateway.go and vault/handler.go). Consider defining a constant like MaxRequestIDLength to ensure consistency and make future changes easier to maintain. This constant could be defined in a shared package like core/services/gateway/api/constants.go.

[Copilot]

The request ID length validation logic is duplicated between gateway.go and vault/handler.go. This creates a maintenance burden and risk of inconsistency if the limit needs to be changed. Consider extracting this validation into a shared function or performing it only at the gateway layer to follow the DRY principle.

Suggested change

	if len(req.ID) > 200 {
	// Arbitrary limit to prevent abuse
	return errors.New("request ID is too long: " + strconv.Itoa(len(req.ID)) + ". max is 200 characters")
	}

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[patrickhuie19]

approved. please circle back to my comment on request.id size @prashantkumar1982