Merge bitcoin/bitcoin#27468: bugfix: rest: avoid segfault for invalid URI

[DashCoreAutoGuix]

Bitcoin Backport

Backports Bitcoin Core PR bitcoin#27468

Bitcoin Commit: e054b73

Summary

This backport fixes a segfault vulnerability in the REST interface when handling invalid URI query parameters. The fix adds proper exception handling for query parameter parsing.

Changes

1. src/httpserver.cpp: Added try-catch blocks around GetQueryParameter() calls
2. src/rest.cpp:
   • Added query parameter validation for rest_headers and rest_filter_header endpoints
   • Added comprehensive query parameter handling for rest_mempool_contents including:
     • verbose parameter validation (true/false)
     • mempool_sequence parameter validation (true/false)
     • Mutual exclusivity check for verbose and mempool_sequence
3. src/test/httpserver_tests.cpp: Added unit tests for invalid URI parsing
4. test/functional/interface_rest.py: Added functional test for invalid URI with % character

Dash-Specific Adaptations

The Bitcoin change modified a unified rest_mempool function, but Dash has this split into two functions:

• rest_mempool_info: Returns basic mempool info (no query parameters needed)
• rest_mempool_contents: Returns detailed mempool contents (now includes query parameter validation)

The error handling from Bitcoin was appropriately applied to rest_mempool_contents where the verbose and mempool_sequence parameters are relevant.

Testing

• Unit tests added for HTTP server query parameter parsing
• Functional test added to verify proper error handling for malformed URIs
• All existing mempool REST endpoints remain functional

Batch: 412
Version: 0.25

[coderabbitai]

Warning

Rate limit exceeded

@DashCoreAutoGuix has exceeded the limit for the number of commits or files that can be reviewed per hour. Please wait 4 minutes and 16 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between 54e2588 and ccb88d6.

📒 Files selected for processing (4)

• src/httpserver.cpp (1 hunks)
• src/rest.cpp (3 hunks)
• src/test/httpserver_tests.cpp (1 hunks)
• test/functional/interface_rest.py (1 hunks)

✨ Finishing touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch backport-0.25-batch-412-pr-27468

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}