feat(pdp): enforce extraData size limits (#807)

Author: siddharthbaleja7

pdp/handlers.go

@@ -36,6 +36,17 @@ import (
 // PDPRoutePath is the base path for PDP routes
 const PDPRoutePath = "/pdp"
 
+const (
+	// MaxCreateDataSetExtraDataSize defines the limit for extraData size in CreateDataSet calls (4KB).
+	MaxCreateDataSetExtraDataSize = 4096
+
+	// MaxAddPiecesExtraDataSize defines the limit for extraData size in AddPieces calls (8KB).
+	MaxAddPiecesExtraDataSize = 8192
+
+	// MaxDeletePieceExtraDataSize defines the limit for extraData size in DeletePiece calls (256B).
+	MaxDeletePieceExtraDataSize = 256
+)
+
 // PDPService represents the service for managing data sets and pieces
 type PDPService struct {
 	Auth
@@ -865,6 +876,11 @@ func (p *PDPService) handleDeleteDataSetPiece(w http.ResponseWriter, r *http.Req
 			http.Error(w, "Invalid extraData format (must be hex encoded)", http.StatusBadRequest)
 			return
 		}
+		if len(extraDataBytes) > MaxDeletePieceExtraDataSize {
+			errMsg := fmt.Sprintf("extraData size (%d bytes) exceeds the maximum allowed limit for DeletePiece (%d bytes)", len(extraDataBytes), MaxDeletePieceExtraDataSize)
+			http.Error(w, errMsg, http.StatusBadRequest)
+			return
+		}
 	}
 
 	// Check if we have this piece or not

pdp/handlers_add.go

@@ -329,6 +329,11 @@ func (p *PDPService) handleAddPieceToDataSet(w http.ResponseWriter, r *http.Requ
 		http.Error(w, "Invalid extraData format (must be hex encoded): "+err.Error(), http.StatusBadRequest)
 		return
 	}
+	if len(extraDataBytes) > MaxAddPiecesExtraDataSize {
+		errMsg := fmt.Sprintf("extraData size (%d bytes) exceeds the maximum allowed limit for AddPieces (%d bytes)", len(extraDataBytes), MaxAddPiecesExtraDataSize)
+		http.Error(w, errMsg, http.StatusBadRequest)
+		return
+	}
 
 	// Step 4: Prepare piece information
 	pieceDataArray, subPieceInfoMap, subPieceCidList, err := p.transformAddPiecesRequest(ctx, serviceLabel, payload.Pieces)

pdp/handlers_create.go

@@ -3,6 +3,7 @@ package pdp
 import (
 	"encoding/hex"
 	"encoding/json"
+	"fmt"
 	"io"
 	"math/big"
 	"net/http"
@@ -64,6 +65,11 @@ func (p *PDPService) handleCreateDataSetAndAddPieces(w http.ResponseWriter, r *h
 		http.Error(w, "Invalid extraData format (must be hex encoded)", http.StatusBadRequest)
 		return
 	}
+	if len(extraDataBytes) > MaxAddPiecesExtraDataSize {
+		errMsg := fmt.Sprintf("extraData size (%d bytes) exceeds the maximum allowed limit for CreateDataSetAndAddPieces (%d bytes)", len(extraDataBytes), MaxAddPiecesExtraDataSize)
+		http.Error(w, errMsg, http.StatusBadRequest)
+		return
+	}
 
 	// Check if indexing is needed by decoding the extraData
 	mustIndex, err := CheckIfIndexingNeededFromExtraData(extraDataBytes)
@@ -224,6 +230,11 @@ func (p *PDPService) handleCreateDataSet(w http.ResponseWriter, r *http.Request)
 		http.Error(w, "Invalid extraData format (must be hex encoded): "+err.Error(), http.StatusBadRequest)
 		return
 	}
+	if len(extraDataBytes) > MaxCreateDataSetExtraDataSize {
+		errMsg := fmt.Sprintf("extraData size (%d bytes) exceeds the maximum allowed limit for CreateDataSet (%d bytes)", len(extraDataBytes), MaxCreateDataSetExtraDataSize)
+		http.Error(w, errMsg, http.StatusBadRequest)
+		return
+	}
 
 	// Step 3: Get the sender address from 'eth_keys' table where role = 'pdp' limit 1
 	fromAddress, err := p.getSenderAddress(ctx)