diff --git a/crates/sui-graphql-rpc/src/extensions/query_limits_checker.rs b/crates/sui-graphql-rpc/src/extensions/query_limits_checker.rs index 243baa6af4569..458a513a8046f 100644 --- a/crates/sui-graphql-rpc/src/extensions/query_limits_checker.rs +++ b/crates/sui-graphql-rpc/src/extensions/query_limits_checker.rs @@ -29,6 +29,7 @@ use uuid::Uuid; pub(crate) const CONNECTION_FIELDS: [&str; 2] = ["edges", "nodes"]; const DRY_RUN_TX_BLOCK: &str = "dryRunTransactionBlock"; const EXECUTE_TX_BLOCK: &str = "executeTransactionBlock"; +const VERIFY_ZKLOGIN: &str = "verifyZkloginSignature"; /// The size of the query payload in bytes, as it comes from the request header: `Content-Length`. #[derive(Clone, Copy, Debug)] @@ -231,6 +232,14 @@ impl<'a> LimitsTraversal<'a> { for (_name, value) in &f.node.arguments { self.check_tx_arg(value)?; } + } else if name == VERIFY_ZKLOGIN { + if let Some(value) = f.node.get_argument("bytes") { + self.check_tx_arg(value)?; + } + + if let Some(value) = f.node.get_argument("signature") { + self.check_tx_arg(value)?; + } } } @@ -607,9 +616,9 @@ impl<'a> Reporter<'a> { self.graphql_error( code::BAD_USER_INPUT, format!( - "{message}. Requests are limited to {max_tx_payload} bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be \ + "{message}. Requests are limited to {max_tx_payload} bytes or fewer on transaction \ + payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, or \ + verifyZkloginSignature) and the rest of the request (the query part) must be \ {max_query_payload} bytes or fewer.", max_tx_payload = self.limits.max_tx_payload_size, max_query_payload = self.limits.max_query_payload_size, diff --git a/crates/sui-graphql-rpc/src/server/builder.rs b/crates/sui-graphql-rpc/src/server/builder.rs index 2de8aab2eed7d..d674ddc38f490 100644 --- a/crates/sui-graphql-rpc/src/server/builder.rs +++ b/crates/sui-graphql-rpc/src/server/builder.rs @@ -1217,8 +1217,8 @@ pub mod tests { ) .await, "Query part too large: 354 bytes. Requests are limited to 400 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 10 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 10 \ bytes or fewer." ); } @@ -1248,8 +1248,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 400 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 400 \ bytes or fewer." ); } @@ -1280,12 +1280,47 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 400 bytes \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 400 bytes \ or fewer." ); } + #[tokio::test] + async fn test_payload_zklogin_exceeded() { + let cluster = prep_executor_cluster().await; + let db_url = cluster.graphql_connection_config.db_url.clone(); + assert_eq!( + execute_for_error( + &db_url, + Limits { + max_tx_payload_size: 10, + max_query_payload_size: 600, + ..Default::default() + }, + r#" + query { + verifyZkloginSignature( + bytes: "AAABBBCCC", + signature: "DDD", + intentScope: TRANSACTION_DATA, + author: "0xeee", + ) { + success + errors + } + } + "# + .into(), + ) + .await, + "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 600 \ + bytes or fewer." + ); + } + #[tokio::test] async fn test_payload_total_exceeded_impl() { let cluster = prep_executor_cluster().await; @@ -1312,8 +1347,9 @@ pub mod tests { ) .await, "Overall request too large: 380 bytes. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or dryRunTransactionBlock) \ - and the rest of the request (the query part) must be 10 bytes or fewer." + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 10 \ + bytes or fewer." ); } @@ -1347,8 +1383,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -1383,9 +1419,9 @@ pub mod tests { ) .await, "Query part too large: 409 bytes. Requests are limited to 500 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 10 bytes \ - or fewer." + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 10 \ + bytes or fewer." ); } @@ -1419,8 +1455,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 400 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 400 \ bytes or fewer." ); } @@ -1455,9 +1491,9 @@ pub mod tests { ) .await, "Query part too large: 398 bytes. Requests are limited to 400 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 10 bytes \ - or fewer." + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 10 \ + bytes or fewer." ); } @@ -1514,8 +1550,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 30 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 800 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 800 \ bytes or fewer." ); } @@ -1576,8 +1612,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 20 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 800 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 800 \ bytes or fewer." ); } @@ -1634,8 +1670,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 30 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer.", ) } @@ -1672,8 +1708,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -1923,8 +1959,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -1956,8 +1992,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -1992,8 +2028,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -2026,8 +2062,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } diff --git a/crates/sui-mvr-graphql-rpc/src/extensions/query_limits_checker.rs b/crates/sui-mvr-graphql-rpc/src/extensions/query_limits_checker.rs index 243baa6af4569..458a513a8046f 100644 --- a/crates/sui-mvr-graphql-rpc/src/extensions/query_limits_checker.rs +++ b/crates/sui-mvr-graphql-rpc/src/extensions/query_limits_checker.rs @@ -29,6 +29,7 @@ use uuid::Uuid; pub(crate) const CONNECTION_FIELDS: [&str; 2] = ["edges", "nodes"]; const DRY_RUN_TX_BLOCK: &str = "dryRunTransactionBlock"; const EXECUTE_TX_BLOCK: &str = "executeTransactionBlock"; +const VERIFY_ZKLOGIN: &str = "verifyZkloginSignature"; /// The size of the query payload in bytes, as it comes from the request header: `Content-Length`. #[derive(Clone, Copy, Debug)] @@ -231,6 +232,14 @@ impl<'a> LimitsTraversal<'a> { for (_name, value) in &f.node.arguments { self.check_tx_arg(value)?; } + } else if name == VERIFY_ZKLOGIN { + if let Some(value) = f.node.get_argument("bytes") { + self.check_tx_arg(value)?; + } + + if let Some(value) = f.node.get_argument("signature") { + self.check_tx_arg(value)?; + } } } @@ -607,9 +616,9 @@ impl<'a> Reporter<'a> { self.graphql_error( code::BAD_USER_INPUT, format!( - "{message}. Requests are limited to {max_tx_payload} bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be \ + "{message}. Requests are limited to {max_tx_payload} bytes or fewer on transaction \ + payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, or \ + verifyZkloginSignature) and the rest of the request (the query part) must be \ {max_query_payload} bytes or fewer.", max_tx_payload = self.limits.max_tx_payload_size, max_query_payload = self.limits.max_query_payload_size, diff --git a/crates/sui-mvr-graphql-rpc/src/server/builder.rs b/crates/sui-mvr-graphql-rpc/src/server/builder.rs index aab4a0ddb4c0c..592a4a364520a 100644 --- a/crates/sui-mvr-graphql-rpc/src/server/builder.rs +++ b/crates/sui-mvr-graphql-rpc/src/server/builder.rs @@ -1215,8 +1215,8 @@ pub mod tests { ) .await, "Query part too large: 354 bytes. Requests are limited to 400 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 10 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 10 \ bytes or fewer." ); } @@ -1246,8 +1246,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 400 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 400 \ bytes or fewer." ); } @@ -1278,12 +1278,47 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 400 bytes \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 400 bytes \ or fewer." ); } + #[tokio::test] + async fn test_payload_zklogin_exceeded() { + let cluster = prep_executor_cluster().await; + let db_url = cluster.graphql_connection_config.db_url.clone(); + assert_eq!( + execute_for_error( + &db_url, + Limits { + max_tx_payload_size: 10, + max_query_payload_size: 600, + ..Default::default() + }, + r#" + query { + verifyZkloginSignature( + bytes: "AAABBBCCC", + signature: "DDD", + intentScope: TRANSACTION_DATA, + author: "0xeee", + ) { + success + errors + } + } + "# + .into(), + ) + .await, + "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 600 \ + bytes or fewer." + ); + } + #[tokio::test] async fn test_payload_total_exceeded_impl() { let cluster = prep_executor_cluster().await; @@ -1310,8 +1345,9 @@ pub mod tests { ) .await, "Overall request too large: 380 bytes. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or dryRunTransactionBlock) \ - and the rest of the request (the query part) must be 10 bytes or fewer." + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 10 \ + bytes or fewer." ); } @@ -1345,8 +1381,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -1381,9 +1417,9 @@ pub mod tests { ) .await, "Query part too large: 409 bytes. Requests are limited to 500 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 10 bytes \ - or fewer." + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 10 \ + bytes or fewer." ); } @@ -1417,8 +1453,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 400 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 400 \ bytes or fewer." ); } @@ -1453,9 +1489,9 @@ pub mod tests { ) .await, "Query part too large: 398 bytes. Requests are limited to 400 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 10 bytes \ - or fewer." + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 10 \ + bytes or fewer." ); } @@ -1512,8 +1548,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 30 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 800 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 800 \ bytes or fewer." ); } @@ -1574,8 +1610,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 20 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 800 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 800 \ bytes or fewer." ); } @@ -1632,8 +1668,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 30 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer.", ) } @@ -1670,8 +1706,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -1921,8 +1957,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -1954,8 +1990,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -1990,8 +2026,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); } @@ -2024,8 +2060,8 @@ pub mod tests { ) .await, "Transaction payload too large. Requests are limited to 10 bytes or fewer on \ - transaction payloads (all inputs to executeTransactionBlock or \ - dryRunTransactionBlock) and the rest of the request (the query part) must be 500 \ + transaction payloads (all inputs to executeTransactionBlock, dryRunTransactionBlock, \ + or verifyZkloginSignature) and the rest of the request (the query part) must be 500 \ bytes or fewer." ); }