From 3e2a01b63c4d1c07ab28f6b1e43abde74a19abc1 Mon Sep 17 00:00:00 2001 From: Shashank Date: Thu, 16 Apr 2026 13:46:35 +0530 Subject: [PATCH 1/7] deny unknown fields --- Cargo.lock | 11 +++ Cargo.toml | 1 + docs/docs/users/reference/env_variables.md | 2 +- src/rpc/json_validator.rs | 85 +++++++++++++++++++++- src/rpc/reflect/parser.rs | 6 +- 5 files changed, 98 insertions(+), 7 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index b20de0adc32a..b1872f0b84d7 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -3433,6 +3433,7 @@ dependencies = [ "scopeguard", "semver", "serde", + "serde_ignored", "serde_ipld_dagcbor", "serde_json", "serde_with", @@ -8652,6 +8653,16 @@ dependencies = [ "syn 2.0.117", ] +[[package]] +name = "serde_ignored" +version = "0.1.14" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "115dffd5f3853e06e746965a20dcbae6ee747ae30b543d91b0e089668bb07798" +dependencies = [ + "serde", + "serde_core", +] + [[package]] name = "serde_ipld_dagcbor" version = "0.6.4" diff --git a/Cargo.toml b/Cargo.toml index 4214a98acd3b..60c802894a4a 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -198,6 +198,7 @@ schemars = { version = "1", features = ["chrono04", "uuid1"] } scopeguard = "1" semver = "1" serde = { workspace = true } +serde_ignored = "0.1" serde_ipld_dagcbor = "0.6" serde_json = { version = "1", features = ["raw_value"] } serde_with = { version = "3", features = ["chrono_0_4"] } diff --git a/docs/docs/users/reference/env_variables.md b/docs/docs/users/reference/env_variables.md index e30f46ffb4eb..926f33d4c38a 100644 --- a/docs/docs/users/reference/env_variables.md +++ b/docs/docs/users/reference/env_variables.md @@ -57,7 +57,7 @@ process. | `FOREST_JWT_DISABLE_EXP_VALIDATION` | 1 or true | empty | 1 | Whether or not to disable JWT expiration validation | | `FOREST_ETH_BLOCK_CACHE_SIZE` | positive integer | 500 | 1 | The size of Eth block cache | | `FOREST_RPC_BACKFILL_FULL_TIPSET_FROM_NETWORK` | 1 or true | false | 1 | Whether or not to backfill full tipsets from the p2p network | -| `FOREST_STRICT_JSON` | 1 or true | false | 1 | Enable strict JSON validation to detect duplicate keys in RPC requests | +| `FOREST_STRICT_JSON` | 1 or true | false | 1 | Enable strict JSON validation to detect duplicate keys and reject unknown fields in RPC requests | | `FOREST_AUTO_DOWNLOAD_SNAPSHOT_PATH` | URL or file path | empty | `/var/tmp/forest_snapshot_calibnet.forest.car.zst` | Override snapshot path for `--auto-download-snapshot` | | `FOREST_DOWNLOAD_CONNECTIONS` | positive integer | 5 | 10 | Number of parallel HTTP connections for downloading snapshots | | `FOREST_ETH_V1_DISABLE_F3_FINALITY_RESOLUTION` | 1 or true | empty | 1 | Whether or not to disable F3 finality resolution in Eth `v1` RPC methods | diff --git a/src/rpc/json_validator.rs b/src/rpc/json_validator.rs index 6d63356c921e..14383290db66 100644 --- a/src/rpc/json_validator.rs +++ b/src/rpc/json_validator.rs @@ -1,12 +1,18 @@ // Copyright 2019-2026 ChainSafe Systems // SPDX-License-Identifier: Apache-2.0, MIT -//! JSON validation utilities for detecting duplicate keys before serde_json processing. +//! JSON validation utilities for RPC request processing. //! -//! serde_json automatically deduplicates keys at parse time using a "last-write-wins" strategy -//! This means JSON like `{"/":"cid1", "/":"cid2"}` will keep only the last value, which can lead to unexpected behavior in RPC calls. +//! - **Duplicate key detection**: `serde_json` automatically deduplicates keys at parse time +//! using a "last-write-wins" strategy. This means JSON like `{"/":"cid1", "/":"cid2"}` will +//! keep only the last value, which can lead to unexpected behavior in RPC calls. +//! - **Unknown field detection**: `serde_json` silently ignores unknown fields by default. +//! In strict mode, [`from_value_rejecting_unknown_fields`] rejects them in RPC calls. +//! +//! Both checks are gated behind the `FOREST_STRICT_JSON` environment variable. use ahash::HashSet; +use serde::de::DeserializeOwned; pub const STRICT_JSON_ENV: &str = "FOREST_STRICT_JSON"; @@ -50,9 +56,32 @@ pub fn validate_json_for_duplicates(json_str: &str) -> Result<(), String> { check_value(&value) } +/// De-serializes a [`serde_json::Value`] into `T`, rejecting unknown fields when strict mode is +/// enabled. When strict mode is off, this is equivalent to [`serde_json::from_value`]. +pub fn from_value_rejecting_unknown_fields( + value: serde_json::Value, +) -> Result { + if !is_strict_mode() { + return serde_json::from_value(value); + } + let mut unknown = Vec::new(); + let result: T = serde_ignored::deserialize(value, |path| { + unknown.push(path.to_string()); + })?; + if !unknown.is_empty() { + return Err(serde::de::Error::custom(format!( + "unknown field(s): {}. Set {STRICT_JSON_ENV}=0 to disable this check", + unknown.join(", ") + ))); + } + Ok(result) +} + #[cfg(test)] mod tests { use super::*; + use serde::Deserialize; + use serde_json::json; use serial_test::serial; fn with_strict_mode(enabled: bool, f: F) @@ -131,4 +160,54 @@ mod tests { assert!(result.unwrap_err().contains("duplicate key '/'")); }); } + + #[derive(Debug, Deserialize, PartialEq)] + struct RpcTestReq { + name: String, + value: i32, + } + + #[test] + #[serial] + fn test_unknown_fields_known_only() { + with_strict_mode(true, || { + let val = json!({"name": "alice", "value": 42}); + let result = from_value_rejecting_unknown_fields::(val); + assert_eq!( + result.unwrap(), + RpcTestReq { + name: "alice".into(), + value: 42 + } + ); + }); + } + + #[test] + #[serial] + fn test_unknown_fields_detected() { + with_strict_mode(true, || { + let val = json!({"name": "alice", "value": 42, "extra": true}); + let err = from_value_rejecting_unknown_fields::(val) + .expect_err("expected Err when unknown JSON field is present under strict mode"); + let msg = err.to_string(); + assert!( + msg.contains("unknown field(s)") && msg.contains("extra"), + "got: {msg}" + ); + }); + } + + #[test] + #[serial] + fn test_unknown_fields_strict_mode_off() { + with_strict_mode(false, || { + let val = json!({"name": "alice", "value": 42, "extra": true}); + let result = from_value_rejecting_unknown_fields::(val); + assert!( + result.is_ok(), + "unknown fields should be allowed when strict mode is off" + ); + }); + } } diff --git a/src/rpc/reflect/parser.rs b/src/rpc/reflect/parser.rs index cd745e93e98d..4c9f2bf22a23 100644 --- a/src/rpc/reflect/parser.rs +++ b/src/rpc/reflect/parser.rs @@ -7,7 +7,7 @@ use serde::Deserialize; use serde_json::{Value, json}; use super::{jsonrpc_types::RequestParameters, util::Optional as _}; -use crate::rpc::error::ServerError; +use crate::rpc::{error::ServerError, json_validator}; /// Parser for JSON-RPC parameters. /// Abstracts calling convention, checks for unexpected params etc, so that @@ -142,7 +142,7 @@ impl<'a> Parser<'a> { false => self.error(missing_parameter)?, }, Some(ParserInner::ByName(it)) => match it.remove(name) { - Some(it) => match serde_json::from_value::(it) { + Some(it) => match json_validator::from_value_rejecting_unknown_fields::(it) { Ok(it) => it, Err(e) => self.error(deserialize_error(e))?, }, @@ -152,7 +152,7 @@ impl<'a> Parser<'a> { }, }, Some(ParserInner::ByPosition(it)) => match it.pop_front() { - Some(it) => match serde_json::from_value::(it) { + Some(it) => match json_validator::from_value_rejecting_unknown_fields::(it) { Ok(it) => it, Err(e) => self.error(deserialize_error(e))?, }, From 284a827a7d11f755c5fc07a5033213ae0ed7fdaa Mon Sep 17 00:00:00 2001 From: Shashank Date: Thu, 16 Apr 2026 14:17:43 +0530 Subject: [PATCH 2/7] deny unknown fields resp --- docs/docs/users/reference/env_variables.md | 2 +- src/rpc/json_validator.rs | 7 ++++--- src/rpc/reflect/mod.rs | 9 ++++++++- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/docs/docs/users/reference/env_variables.md b/docs/docs/users/reference/env_variables.md index 926f33d4c38a..a1121d49f15c 100644 --- a/docs/docs/users/reference/env_variables.md +++ b/docs/docs/users/reference/env_variables.md @@ -57,7 +57,7 @@ process. | `FOREST_JWT_DISABLE_EXP_VALIDATION` | 1 or true | empty | 1 | Whether or not to disable JWT expiration validation | | `FOREST_ETH_BLOCK_CACHE_SIZE` | positive integer | 500 | 1 | The size of Eth block cache | | `FOREST_RPC_BACKFILL_FULL_TIPSET_FROM_NETWORK` | 1 or true | false | 1 | Whether or not to backfill full tipsets from the p2p network | -| `FOREST_STRICT_JSON` | 1 or true | false | 1 | Enable strict JSON validation to detect duplicate keys and reject unknown fields in RPC requests | +| `FOREST_STRICT_JSON` | 1 or true | false | 1 | Enable strict JSON validation to detect duplicate keys and reject unknown fields in RPC requests and responses | | `FOREST_AUTO_DOWNLOAD_SNAPSHOT_PATH` | URL or file path | empty | `/var/tmp/forest_snapshot_calibnet.forest.car.zst` | Override snapshot path for `--auto-download-snapshot` | | `FOREST_DOWNLOAD_CONNECTIONS` | positive integer | 5 | 10 | Number of parallel HTTP connections for downloading snapshots | | `FOREST_ETH_V1_DISABLE_F3_FINALITY_RESOLUTION` | 1 or true | empty | 1 | Whether or not to disable F3 finality resolution in Eth `v1` RPC methods | diff --git a/src/rpc/json_validator.rs b/src/rpc/json_validator.rs index 14383290db66..c2d182f8fb2a 100644 --- a/src/rpc/json_validator.rs +++ b/src/rpc/json_validator.rs @@ -1,15 +1,16 @@ // Copyright 2019-2026 ChainSafe Systems // SPDX-License-Identifier: Apache-2.0, MIT -//! JSON validation utilities for RPC request processing. +//! JSON validation utilities for RPC requests and responses processing. //! //! - **Duplicate key detection**: `serde_json` automatically deduplicates keys at parse time //! using a "last-write-wins" strategy. This means JSON like `{"/":"cid1", "/":"cid2"}` will //! keep only the last value, which can lead to unexpected behavior in RPC calls. //! - **Unknown field detection**: `serde_json` silently ignores unknown fields by default. -//! In strict mode, [`from_value_rejecting_unknown_fields`] rejects them in RPC calls. +//! In strict mode, [`from_value_rejecting_unknown_fields`] applies to rpc request and +//! responses. //! -//! Both checks are gated behind the `FOREST_STRICT_JSON` environment variable. +//! All of this is gated behind the `FOREST_STRICT_JSON` environment variable. use ahash::HashSet; use serde::de::DeserializeOwned; diff --git a/src/rpc/reflect/mod.rs b/src/rpc/reflect/mod.rs index 2aab1b6bdf5a..f4e75b1e971c 100644 --- a/src/rpc/reflect/mod.rs +++ b/src/rpc/reflect/mod.rs @@ -275,7 +275,14 @@ pub trait RpcMethodExt: RpcMethod { let params = Self::parse_params(params.as_str(), calling_convention) .map_err(|e| Error::invalid_params(e, None))?; let ok = Self::handle(ctx, params, &extensions).await?; - Result::<_, jsonrpsee::types::ErrorObjectOwned>::Ok(ok.into_lotus_json()) + let result = ok.into_lotus_json(); + if crate::rpc::json_validator::is_strict_mode() { + let v = serde_json::to_value(&result).map_err(Error::from)?; + let _: ::LotusJson = + crate::rpc::json_validator::from_value_rejecting_unknown_fields(v) + .map_err(Error::from)?; + } + Result::<_, jsonrpsee::types::ErrorObjectOwned>::Ok(result) }, )?; if let Some(alias) = Self::NAME_ALIAS { From b48816d8a6da5142062d3c630a494ed5af1c4f69 Mon Sep 17 00:00:00 2001 From: Shashank Date: Thu, 16 Apr 2026 14:43:03 +0530 Subject: [PATCH 3/7] Update changelog --- CHANGELOG.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 145ac01a96a2..3cdda462f2a1 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -29,6 +29,8 @@ ### Added +- [#6926](https://github.com/ChainSafe/forest/pull/6926): Added strict JSON validation to deny unknown fields in RPC request parameters and response results when `FOREST_STRICT_JSON` is enabled. + ### Changed ### Removed From 1397e48127fe085ea114afbae579f1865041b58f Mon Sep 17 00:00:00 2001 From: Shashank Date: Thu, 16 Apr 2026 15:03:52 +0530 Subject: [PATCH 4/7] fix spellcheck --- src/rpc/json_validator.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/rpc/json_validator.rs b/src/rpc/json_validator.rs index c2d182f8fb2a..7f23f70bcc90 100644 --- a/src/rpc/json_validator.rs +++ b/src/rpc/json_validator.rs @@ -7,7 +7,7 @@ //! using a "last-write-wins" strategy. This means JSON like `{"/":"cid1", "/":"cid2"}` will //! keep only the last value, which can lead to unexpected behavior in RPC calls. //! - **Unknown field detection**: `serde_json` silently ignores unknown fields by default. -//! In strict mode, [`from_value_rejecting_unknown_fields`] applies to rpc request and +//! In strict mode, [`from_value_rejecting_unknown_fields`] applies to RPC request and //! responses. //! //! All of this is gated behind the `FOREST_STRICT_JSON` environment variable. From c90dc856c78827b410d15993c9d8d4d149ce3bac Mon Sep 17 00:00:00 2001 From: Shashank Date: Mon, 20 Apr 2026 13:17:46 +0530 Subject: [PATCH 5/7] fix in api compare --- scripts/tests/api_compare/docker-compose.yml | 3 ++ src/rpc/reflect/mod.rs | 8 +---- .../subcommands/api_cmd/api_compare_tests.rs | 32 ++++++++++++------- 3 files changed, 24 insertions(+), 19 deletions(-) diff --git a/scripts/tests/api_compare/docker-compose.yml b/scripts/tests/api_compare/docker-compose.yml index 0d4dc88029c1..38a8df93106c 100644 --- a/scripts/tests/api_compare/docker-compose.yml +++ b/scripts/tests/api_compare/docker-compose.yml @@ -266,6 +266,7 @@ services: - RUST_LOG=info,forest::tool::subcommands=debug - FOREST_RPC_DEFAULT_TIMEOUT=120 - FIL_PROOFS_PARAMETER_CACHE=${FIL_PROOFS_PARAMETER_CACHE} + - FOREST_STRICT_JSON=1 entrypoint: ["/bin/bash", "-c"] user: 0:0 command: @@ -310,6 +311,7 @@ services: - RUST_LOG=info,forest::tool::subcommands=debug - FOREST_RPC_DEFAULT_TIMEOUT=120 - FIL_PROOFS_PARAMETER_CACHE=${FIL_PROOFS_PARAMETER_CACHE} + - FOREST_STRICT_JSON=1 entrypoint: ["/bin/bash", "-c"] user: 0:0 command: @@ -379,6 +381,7 @@ services: - RUST_LOG=info,forest::tool::subcommands=debug - FOREST_RPC_DEFAULT_TIMEOUT=120 - FIL_PROOFS_PARAMETER_CACHE=${FIL_PROOFS_PARAMETER_CACHE} + - FOREST_STRICT_JSON=1 entrypoint: ["/bin/bash", "-c"] user: 0:0 command: diff --git a/src/rpc/reflect/mod.rs b/src/rpc/reflect/mod.rs index f4e75b1e971c..5b7e04d50c9e 100644 --- a/src/rpc/reflect/mod.rs +++ b/src/rpc/reflect/mod.rs @@ -276,12 +276,6 @@ pub trait RpcMethodExt: RpcMethod { .map_err(|e| Error::invalid_params(e, None))?; let ok = Self::handle(ctx, params, &extensions).await?; let result = ok.into_lotus_json(); - if crate::rpc::json_validator::is_strict_mode() { - let v = serde_json::to_value(&result).map_err(Error::from)?; - let _: ::LotusJson = - crate::rpc::json_validator::from_value_rejecting_unknown_fields(v) - .map_err(Error::from)?; - } Result::<_, jsonrpsee::types::ErrorObjectOwned>::Ok(result) }, )?; @@ -357,7 +351,7 @@ pub trait RpcMethodExt: RpcMethod { // Client::call has an inappropriate HasLotusJson // bound, work around it for now. let json = client.call(Self::request(params)?.map_ty()).await?; - Ok(serde_json::from_value(json)?) + Ok(crate::rpc::json_validator::from_value_rejecting_unknown_fields(json)?) } } fn call( diff --git a/src/tool/subcommands/api_cmd/api_compare_tests.rs b/src/tool/subcommands/api_cmd/api_compare_tests.rs index da915ccecd65..6d5bad680bcc 100644 --- a/src/tool/subcommands/api_cmd/api_compare_tests.rs +++ b/src/tool/subcommands/api_cmd/api_compare_tests.rs @@ -315,11 +315,13 @@ impl RpcTest { fn basic_raw(request: rpc::Request) -> Self { Self { request: request.map_ty(), - check_syntax: Box::new(|it| match serde_json::from_value::(it) { - Ok(_) => true, - Err(e) => { - debug!(?e); - false + check_syntax: Box::new(|it| { + match crate::rpc::json_validator::from_value_rejecting_unknown_fields::(it) { + Ok(_) => true, + Err(e) => { + debug!(?e); + false + } } }), check_semantics: Box::new(|_, _| true), @@ -345,17 +347,23 @@ impl RpcTest { ) -> Self { Self { request: request.map_ty(), - check_syntax: Box::new(|value| match serde_json::from_value::(value) { - Ok(_) => true, - Err(e) => { - debug!("{e}"); - false + check_syntax: Box::new(|value| { + match crate::rpc::json_validator::from_value_rejecting_unknown_fields::(value) { + Ok(_) => true, + Err(e) => { + debug!("{e}"); + false + } } }), check_semantics: Box::new(move |forest_json, lotus_json| { match ( - serde_json::from_value::(forest_json), - serde_json::from_value::(lotus_json), + crate::rpc::json_validator::from_value_rejecting_unknown_fields::( + forest_json, + ), + crate::rpc::json_validator::from_value_rejecting_unknown_fields::( + lotus_json, + ), ) { (Ok(forest), Ok(lotus)) => validate(forest, lotus), (forest, lotus) => { From 928ac735993bc759764e234ebbe4b26e259a69f7 Mon Sep 17 00:00:00 2001 From: Shashank Date: Mon, 20 Apr 2026 13:52:50 +0530 Subject: [PATCH 6/7] fmt --- src/rpc/reflect/mod.rs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/rpc/reflect/mod.rs b/src/rpc/reflect/mod.rs index 5b7e04d50c9e..b847e083111f 100644 --- a/src/rpc/reflect/mod.rs +++ b/src/rpc/reflect/mod.rs @@ -275,8 +275,7 @@ pub trait RpcMethodExt: RpcMethod { let params = Self::parse_params(params.as_str(), calling_convention) .map_err(|e| Error::invalid_params(e, None))?; let ok = Self::handle(ctx, params, &extensions).await?; - let result = ok.into_lotus_json(); - Result::<_, jsonrpsee::types::ErrorObjectOwned>::Ok(result) + Result::<_, jsonrpsee::types::ErrorObjectOwned>::Ok(ok.into_lotus_json()) }, )?; if let Some(alias) = Self::NAME_ALIAS { From 54bd0b57166a2ba07ad498748fafb1abec3cf111 Mon Sep 17 00:00:00 2001 From: Shashank Date: Mon, 20 Apr 2026 15:25:59 +0530 Subject: [PATCH 7/7] disable CI strict json check --- scripts/tests/api_compare/docker-compose.yml | 3 --- 1 file changed, 3 deletions(-) diff --git a/scripts/tests/api_compare/docker-compose.yml b/scripts/tests/api_compare/docker-compose.yml index 38a8df93106c..0d4dc88029c1 100644 --- a/scripts/tests/api_compare/docker-compose.yml +++ b/scripts/tests/api_compare/docker-compose.yml @@ -266,7 +266,6 @@ services: - RUST_LOG=info,forest::tool::subcommands=debug - FOREST_RPC_DEFAULT_TIMEOUT=120 - FIL_PROOFS_PARAMETER_CACHE=${FIL_PROOFS_PARAMETER_CACHE} - - FOREST_STRICT_JSON=1 entrypoint: ["/bin/bash", "-c"] user: 0:0 command: @@ -311,7 +310,6 @@ services: - RUST_LOG=info,forest::tool::subcommands=debug - FOREST_RPC_DEFAULT_TIMEOUT=120 - FIL_PROOFS_PARAMETER_CACHE=${FIL_PROOFS_PARAMETER_CACHE} - - FOREST_STRICT_JSON=1 entrypoint: ["/bin/bash", "-c"] user: 0:0 command: @@ -381,7 +379,6 @@ services: - RUST_LOG=info,forest::tool::subcommands=debug - FOREST_RPC_DEFAULT_TIMEOUT=120 - FIL_PROOFS_PARAMETER_CACHE=${FIL_PROOFS_PARAMETER_CACHE} - - FOREST_STRICT_JSON=1 entrypoint: ["/bin/bash", "-c"] user: 0:0 command: