# 34489 - \[BC - Insight] ActivetsValidateRecordTypes do not check all th... Submitted on Aug 14th 2024 at 00:37:23 UTC by @gladiator111 for [Boost | Shardeum: Core](https://immunefi.com/bounty/shardeum-core-boost/) Report ID: #34489 Report type: Blockchain/DLT Report severity: Insight Target: Impacts: * Shutdown of greater than 10% or equal to but less than 30% of network processing nodes without brute force actions, but does not shut down the network ## Description ## Brief/Intro `Note - This is an insight report, since there is no option to submit an insight, I am submitting it under low impact, kindly downgrade to insight from low.` `Active.ts::ValidateRecordTypes` miss out on checking some of the types ## Vulnerability Details In the function `Active.ts::ValidateRecordTypes` ```typescript export function validateRecordTypes(rec: P2P.ActiveTypes.Record): string { let err = validateTypes(rec, { active: 'n', activated: 'a', activatedPublicKeys: 'a', }) if (err) return err for (const item of rec.activated) { if (typeof item !== 'string') return 'items of activated array must be strings' } for (const item of rec.activatedPublicKeys) { if (typeof item !== 'string') return 'items of activatedPublicKeys array must be strings' } return '' } ``` The above function checks only for `active`, `activated` and `activatedPublicKeys` and their subelements (in case of arrays). The `rec: P2P.ActiveTypes.Record` type consists of 5 elements. These types are as follows ```typescript export interface Record { active: number; standby: number; activated: string[]; activatedPublicKeys: string[]; maxSyncTime: number; } ``` `standby` and `maxSyncTime` types are never checked. This can cause problems of type mismatch. The recommendation for correcting it is as follows. ## Recommendation Modify the function as follows ```typescript export function validateRecordTypes(rec: P2P.ActiveTypes.Record): string { let err = validateTypes(rec, { active: 'n', @> standby: 'n', activated: 'a', activatedPublicKeys: 'a', @> maxSyncTime:'n' }) if (err) return err for (const item of rec.activated) { if (typeof item !== 'string') return 'items of activated array must be strings' } for (const item of rec.activatedPublicKeys) { if (typeof item !== 'string') return 'items of activatedPublicKeys array must be strings' } return '' } ``` ## Impact Details It comes under `security best practices` of insight report ## References ## Proof of Concept The issue is fairly simple and is `insight`, so I am providing only the necessary info for proof of concept. ```typescript export function validateRecordTypes(rec: P2P.ActiveTypes.Record): string { @>let err = validateTypes(rec, { // no checking for standby and maxSyncTime active: 'n', activated: 'a', activatedPublicKeys: 'a', }) if (err) return err for (const item of rec.activated) { if (typeof item !== 'string') return 'items of activated array must be strings' } for (const item of rec.activatedPublicKeys) { if (typeof item !== 'string') return 'items of activatedPublicKeys array must be strings' } return '' } ``` The above function is used by various other functions such as `CycleCreator.ts::validateCertsRecordTypes`, so it is fairly crucial ```typescript function validateCertsRecordTypes(inp, caller) { let err = utils.validateTypes(inp, { certs: 'a', record: 'o' }) if (err) { warn(caller + ' bad input: ' + err + ' ' + Utils.safeStringify(inp)) return false } for (const cert of inp.certs) { err = utils.validateTypes(cert, { marker: 's', score: 'n', sign: 'o' }) if (err) { warn(caller + ' bad input.certs: ' + err) return false } err = utils.validateTypes(cert.sign, { owner: 's', sig: 's' }) if (err) { warn(caller + ' bad input.sign: ' + err) return false } } err = utils.validateTypes(inp.record, { activated: 'a', activatedPublicKeys: 'a', active: 'n', apoptosized: 'a', counter: 'n', desired: 'n', duration: 'n', expired: 'n', joined: 'a', joinedArchivers: 'a', joinedConsensors: 'a', lost: 'a', previous: 's', refreshedArchivers: 'a', refreshedConsensors: 'a', refuted: 'a', removed: 'a', start: 'n', syncing: 'n', }) if (err) { warn(caller + ' bad input.record: ' + err) return false } // submodules need to validate their part of the record for (const submodule of submodules) { @> err = submodule.validateRecordTypes(inp.record) // used here if (err) { warn(caller + ' bad input.record.* ' + err) return false } } return true } ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://reports.immunefi.com/shardeum-core/34489-bc-insight-activetsvalidaterecordtypes-do-not-check-all-th....md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.