deposit_authorized check that credential belongs to account

XRPLF · Nov 6, 2024 · ef82c3b · ef82c3b
1 parent 756d000
commit ef82c3b
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 4 deletions.
diff --git a/src/test/rpc/DepositAuthorized_test.cpp b/src/test/rpc/DepositAuthorized_test.cpp
@@ -338,10 +338,11 @@ class DepositAuthorized_test : public beast::unit_test::suite
 
         Account const alice{"alice"};
         Account const becky{"becky"};
+        Account const diana{"diana"};
         Account const carol{"carol"};
 
         Env env(*this);
-        env.fund(XRP(1000), alice, becky, carol);
+        env.fund(XRP(1000), alice, becky, carol, diana);
         env.close();
 
         // carol recognize alice
@@ -514,14 +515,51 @@ class DepositAuthorized_test : public beast::unit_test::suite
         }
 
         {
+            // diana recognize becky
+            env(credentials::create(becky, diana, credType));
+            env.close();
+            env(credentials::accept(becky, diana, credType));
+            env.close();
+
+            // retrieve the index of the credentials
+            auto jv = credentials::ledgerEntry(env, becky, diana, credType);
+            std::string const credBecky =
+                jv[jss::result][jss::index].asString();
+
             testcase("deposit_authorized account without preauth");
-            auto const jv = env.rpc(
+            jv = env.rpc(
                 "json",
                 "deposit_authorized",
-                depositAuthArgs(becky, alice, "validated", {credIdx})
+                depositAuthArgs(becky, alice, "validated", {credBecky})
                     .toStyledString());
             checkCredentialsResponse(
-                jv[jss::result], becky, alice, true, {credIdx});
+                jv[jss::result], becky, alice, true, {credBecky});
+        }
+
+        {
+            // carol recognize diana
+            env(credentials::create(diana, carol, credType));
+            env.close();
+            env(credentials::accept(diana, carol, credType));
+            env.close();
+            // retrieve the index of the credentials
+            auto jv = credentials::ledgerEntry(env, alice, carol, credType);
+            std::string const credDiana =
+                jv[jss::result][jss::index].asString();
+
+            // alice try to use credential for different account
+            jv = env.rpc(
+                "json",
+                "deposit_authorized",
+                depositAuthArgs(becky, alice, "validated", {credDiana})
+                    .toStyledString());
+            checkCredentialsResponse(
+                jv[jss::result],
+                becky,
+                alice,
+                false,
+                {credDiana},
+                "badCredentials");
         }
 
         {

diff --git a/src/xrpld/rpc/handlers/DepositAuthorized.cpp b/src/xrpld/rpc/handlers/DepositAuthorized.cpp
@@ -160,6 +160,15 @@ doDepositAuthorized(RPC::JsonContext& context)
                 return result;
             }
 
+            if ((*sleCred)[sfSubject] != srcAcct)
+            {
+                RPC::inject_error(
+                    rpcBAD_CREDENTIALS,
+                    "credentials doesn't belong to the root account",
+                    result);
+                return result;
+            }
+
             auto [it, ins] = sorted.emplace(
                 (*sleCred)[sfIssuer], (*sleCred)[sfCredentialType]);
             if (!ins)