From cb4aba497ee7d8c6a482f4ed3a82eb4ad10f92ae Mon Sep 17 00:00:00 2001
From: Roman Khimov <roman@nspcc.ru>
Date: Tue, 11 Feb 2025 15:52:02 +0300
Subject: [PATCH] rpcsrv: filter out invalid getblocknotifications requests

Unknown fields are not allowed.

Signed-off-by: Roman Khimov <roman@nspcc.ru>
---
 pkg/services/rpcsrv/server.go      | 8 +++++++-
 pkg/services/rpcsrv/server_test.go | 6 ++++++
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/pkg/services/rpcsrv/server.go b/pkg/services/rpcsrv/server.go
index cd9455c0b..370f36474 100644
--- a/pkg/services/rpcsrv/server.go
+++ b/pkg/services/rpcsrv/server.go
@@ -3220,8 +3220,14 @@ func (s *Server) getBlockNotifications(reqParams params.Params) (any, *neorpc.Er
 
 	var filter *neorpc.NotificationFilter
 	if len(reqParams) > 1 {
+		var (
+			reader  = bytes.NewBuffer([]byte(reqParams[1].RawMessage))
+			decoder = json.NewDecoder(reader)
+		)
+		decoder.DisallowUnknownFields()
 		filter = new(neorpc.NotificationFilter)
-		err := json.Unmarshal(reqParams[1].RawMessage, filter)
+
+		err := decoder.Decode(filter)
 		if err != nil {
 			return nil, neorpc.WrapErrorWithData(neorpc.ErrInvalidParams, fmt.Sprintf("invalid filter: %s", err))
 		}
diff --git a/pkg/services/rpcsrv/server_test.go b/pkg/services/rpcsrv/server_test.go
index 4b0b7ae8c..c9a113542 100644
--- a/pkg/services/rpcsrv/server_test.go
+++ b/pkg/services/rpcsrv/server_test.go
@@ -2318,6 +2318,12 @@ var rpcTestCases = map[string][]rpcTestCase{
 			fail:    true,
 			errCode: neorpc.InvalidParamsCode,
 		},
+		{
+			name:    "filter with unknown fields",
+			params:  `["` + genesisBlockHash + `", {"invalid":"something"}]`,
+			fail:    true,
+			errCode: neorpc.InvalidParamsCode,
+		},
 	},
 }