From ef82c3b20c27419b84f0f8b5a37d0e7f177165d7 Mon Sep 17 00:00:00 2001
From: Oleksandr <115580134+oleks-rip@users.noreply.github.com>
Date: Wed, 6 Nov 2024 12:52:25 -0500
Subject: [PATCH] deposit_authorized check that credential belongs to account

---
 src/test/rpc/DepositAuthorized_test.cpp      | 46 ++++++++++++++++++--
 src/xrpld/rpc/handlers/DepositAuthorized.cpp |  9 ++++
 2 files changed, 51 insertions(+), 4 deletions(-)

diff --git a/src/test/rpc/DepositAuthorized_test.cpp b/src/test/rpc/DepositAuthorized_test.cpp
index 3b622e76f20..46637d421e1 100644
--- a/src/test/rpc/DepositAuthorized_test.cpp
+++ b/src/test/rpc/DepositAuthorized_test.cpp
@@ -338,10 +338,11 @@ class DepositAuthorized_test : public beast::unit_test::suite
 
         Account const alice{"alice"};
         Account const becky{"becky"};
+        Account const diana{"diana"};
         Account const carol{"carol"};
 
         Env env(*this);
-        env.fund(XRP(1000), alice, becky, carol);
+        env.fund(XRP(1000), alice, becky, carol, diana);
         env.close();
 
         // carol recognize alice
@@ -514,14 +515,51 @@ class DepositAuthorized_test : public beast::unit_test::suite
         }
 
         {
+            // diana recognize becky
+            env(credentials::create(becky, diana, credType));
+            env.close();
+            env(credentials::accept(becky, diana, credType));
+            env.close();
+
+            // retrieve the index of the credentials
+            auto jv = credentials::ledgerEntry(env, becky, diana, credType);
+            std::string const credBecky =
+                jv[jss::result][jss::index].asString();
+
             testcase("deposit_authorized account without preauth");
-            auto const jv = env.rpc(
+            jv = env.rpc(
                 "json",
                 "deposit_authorized",
-                depositAuthArgs(becky, alice, "validated", {credIdx})
+                depositAuthArgs(becky, alice, "validated", {credBecky})
                     .toStyledString());
             checkCredentialsResponse(
-                jv[jss::result], becky, alice, true, {credIdx});
+                jv[jss::result], becky, alice, true, {credBecky});
+        }
+
+        {
+            // carol recognize diana
+            env(credentials::create(diana, carol, credType));
+            env.close();
+            env(credentials::accept(diana, carol, credType));
+            env.close();
+            // retrieve the index of the credentials
+            auto jv = credentials::ledgerEntry(env, alice, carol, credType);
+            std::string const credDiana =
+                jv[jss::result][jss::index].asString();
+
+            // alice try to use credential for different account
+            jv = env.rpc(
+                "json",
+                "deposit_authorized",
+                depositAuthArgs(becky, alice, "validated", {credDiana})
+                    .toStyledString());
+            checkCredentialsResponse(
+                jv[jss::result],
+                becky,
+                alice,
+                false,
+                {credDiana},
+                "badCredentials");
         }
 
         {
diff --git a/src/xrpld/rpc/handlers/DepositAuthorized.cpp b/src/xrpld/rpc/handlers/DepositAuthorized.cpp
index d6858579e7a..50aa9ef2898 100644
--- a/src/xrpld/rpc/handlers/DepositAuthorized.cpp
+++ b/src/xrpld/rpc/handlers/DepositAuthorized.cpp
@@ -160,6 +160,15 @@ doDepositAuthorized(RPC::JsonContext& context)
                 return result;
             }
 
+            if ((*sleCred)[sfSubject] != srcAcct)
+            {
+                RPC::inject_error(
+                    rpcBAD_CREDENTIALS,
+                    "credentials doesn't belong to the root account",
+                    result);
+                return result;
+            }
+
             auto [it, ins] = sorted.emplace(
                 (*sleCred)[sfIssuer], (*sleCred)[sfCredentialType]);
             if (!ins)