[AF] Add limits to strings in core contracts (aptos-labs#4225)

YFDY · Sep 15, 2022 · 8963098 · 8963098
1 parent 041c065
commit 8963098
Show file tree

Hide file tree

Showing 3 changed files with 61 additions and 6 deletions.
diff --git a/aptos-move/framework/aptos-framework/sources/coin.move b/aptos-move/framework/aptos-framework/sources/coin.move
@@ -49,6 +49,19 @@ module aptos_framework::coin {
     /// Cannot upgrade the total supply of coins to different implementation.
     const ECOIN_SUPPLY_UPGRADE_NOT_SUPPORTED: u64 = 11;
 
+    /// Name of the coin is too long
+    const ECOIN_NAME_TOO_LONG: u64 = 12;
+
+    /// Symbol of the coin is too long
+    const ECOIN_SYMBOL_TOO_LONG: u64 = 13;
+
+    //
+    // Constants
+    //
+
+    const MAX_COIN_NAME_LENGTH: u64 = 32;
+    const MAX_COIN_SYMBOL_LENGTH: u64 = 10;
+
     /// Core data structures
 
     /// Main structure representing a coin/token in an account's custody.
@@ -347,6 +360,9 @@ module aptos_framework::coin {
             error::already_exists(ECOIN_INFO_ALREADY_PUBLISHED),
         );
 
+        assert!(string::length(&name) <= MAX_COIN_NAME_LENGTH, error::invalid_argument(ECOIN_NAME_TOO_LONG));
+        assert!(string::length(&symbol) <= MAX_COIN_SYMBOL_LENGTH, error::invalid_argument(ECOIN_SYMBOL_TOO_LONG));
+
         let coin_info = CoinInfo<CoinType> {
             name,
             symbol,

diff --git a/aptos-move/framework/aptos-token/sources/property_map.move b/aptos-move/framework/aptos-token/sources/property_map.move
@@ -9,13 +9,30 @@ module aptos_token::property_map {
     use aptos_std::simple_map::{Self, SimpleMap};
     use aptos_std::type_info::type_name;
 
+    //
+    // Constants
+    //
+
     const MAX_PROPERTY_MAP_SIZE: u64 = 1000;
+    const MAX_PROPERTY_NAME_LENGTH: u64 = 128;
+
+    //
+    // Errors
+    //
+
     const EKEY_AREADY_EXIST_IN_PROPERTY_MAP: u64 = 1;
     const EPROPERTY_NUMBER_EXCEED_LIMIT: u64 = 2;
     const EPROPERTY_NOT_EXIST: u64 = 3;
     const EKEY_COUNT_NOT_MATCH_VALUE_COUNT: u64 = 4;
     const EKEY_COUNT_NOT_MATCH_TYPE_COUNT: u64 = 5;
     const ETYPE_NOT_MATCH: u64 = 6;
+    /// The name (key) of the property is too long
+    const EPROPERTY_MAP_NAME_TOO_LONG: u64 = 7;
+
+
+    //
+    // Structs
+    //
 
     struct PropertyMap has copy, drop, store {
         map: SimpleMap<String, PropertyValue>,
@@ -38,9 +55,11 @@ module aptos_token::property_map {
         };
         let i = 0;
         while (i < vector::length(&keys)) {
+            let key = *vector::borrow(&keys, i);
+            assert!(string::length(&key) <= MAX_PROPERTY_NAME_LENGTH, error::invalid_argument(EPROPERTY_MAP_NAME_TOO_LONG));
             simple_map::add(
                 &mut properties.map,
-                *vector::borrow(&keys, i),
+                key,
                 PropertyValue{ value: *vector::borrow(&values, i), type: *vector::borrow(&types, i) }
             );
             i = i + 1;
@@ -59,7 +78,8 @@ module aptos_token::property_map {
     }
 
     public fun add(map: &mut PropertyMap, key: String, value: PropertyValue) {
-        assert!(! simple_map::contains_key(&map.map, &key), error::already_exists(EKEY_AREADY_EXIST_IN_PROPERTY_MAP));
+        assert!(string::length(&key) <= MAX_PROPERTY_NAME_LENGTH, error::invalid_argument(EPROPERTY_MAP_NAME_TOO_LONG));
+        assert!(!simple_map::contains_key(&map.map, &key), error::already_exists(EKEY_AREADY_EXIST_IN_PROPERTY_MAP));
         assert!(simple_map::length<String, PropertyValue>(&map.map) < MAX_PROPERTY_MAP_SIZE, error::invalid_state(EPROPERTY_NUMBER_EXCEED_LIMIT));
         simple_map::add(&mut map.map, key, value);
     }

diff --git a/aptos-move/framework/aptos-token/sources/token.move b/aptos-move/framework/aptos-token/sources/token.move
@@ -2,7 +2,7 @@
 module aptos_token::token {
     use std::error;
     use std::signer;
-    use std::string::String;
+    use std::string::{Self, String};
     use std::vector;
     use std::option::{Self, Option};
 
@@ -22,6 +22,15 @@ module aptos_token::token {
     const COLLECTION_URI_MUTABLE_IND: u64 = 1;
     const COLLECTION_MAX_MUTABLE_IND: u64 = 2;
 
+    const MAX_COLLECTION_NAME_LENGTH: u64 = 128;
+    const MAX_NFT_NAME_LENGTH: u64 = 128;
+    // URI lengths: Mean: 76.97, StdDev: 37.41, 95th%: 157, 99th%: 199 (http://www.supermind.org/blog/740/average-length-of-a-url-part-2)
+    const MAX_URI_LENGTH: u64 = 512;
+
+    //
+    // Constants
+    //
+
     const EALREADY_HAS_BALANCE: u64 = 0;
     const EBALANCE_NOT_PUBLISHED: u64 = 1;
     const ECOLLECTIONS_NOT_PUBLISHED: u64 = 2;
@@ -47,6 +56,12 @@ module aptos_token::token {
     const EWITHDRAW_ZERO: u64 = 22;
     const ENOT_TRACKING_SUPPLY: u64 = 23;
     const ENFT_NOT_SPLITABLE: u64 = 24;
+    /// The collection name is too long
+    const ECOLLECTION_NAME_TOO_LONG: u64 = 25;
+    /// The NFT name is too long
+    const ENFT_NAME_TOO_LONG: u64 = 26;
+    /// The URI is too long
+    const EURI_TOO_LONG: u64 = 27;
 
     //
     // Core data structures for holding tokens
@@ -584,6 +599,8 @@ module aptos_token::token {
         maximum: u64,
         mutate_setting: vector<bool>
     ) acquires Collections {
+        assert!(string::length(&name) <= MAX_COLLECTION_NAME_LENGTH, error::invalid_argument(ECOLLECTION_NAME_TOO_LONG));
+        assert!(string::length(&uri) <= MAX_URI_LENGTH, error::invalid_argument(EURI_TOO_LONG));
         let account_addr = signer::address_of(creator);
         if (!exists<Collections>(account_addr)) {
             move_to(
@@ -654,6 +671,9 @@ module aptos_token::token {
         property_values: vector<vector<u8>>,
         property_types: vector<String>
     ): TokenDataId acquires Collections {
+        assert!(string::length(&name) <= MAX_NFT_NAME_LENGTH, error::invalid_argument(ENFT_NAME_TOO_LONG));
+        assert!(string::length(&collection) <= MAX_COLLECTION_NAME_LENGTH, error::invalid_argument(ECOLLECTION_NAME_TOO_LONG));
+        assert!(string::length(&uri) <= MAX_URI_LENGTH, error::invalid_argument(EURI_TOO_LONG));
         let account_addr = signer::address_of(account);
         assert!(
             exists<Collections>(account_addr),
@@ -952,6 +972,8 @@ module aptos_token::token {
         collection: String,
         name: String,
     ): TokenDataId {
+        assert!(string::length(&collection) <= MAX_COLLECTION_NAME_LENGTH, error::invalid_argument(ECOLLECTION_NAME_TOO_LONG));
+        assert!(string::length(&name) <= MAX_NFT_NAME_LENGTH, error::invalid_argument(ENFT_NAME_TOO_LONG));
         TokenDataId { creator, collection, name }
     }
 
@@ -1041,9 +1063,6 @@ module aptos_token::token {
 
     // ****************** TEST-ONLY FUNCTIONS **************
 
-    #[test_only]
-    use std::string;
-
     #[test(creator = @0x1, owner = @0x2)]
     public fun create_withdraw_deposit_token(
         creator: signer,