Skip to content

fix: remove unsafe exec() in required_fuel_block_height.rs#3277

Open
orbisai0security wants to merge 1 commit intoFuelLabs:masterfrom
orbisai0security:fix-fix-validate-required-block-height-input
Open

fix: remove unsafe exec() in required_fuel_block_height.rs#3277
orbisai0security wants to merge 1 commit intoFuelLabs:masterfrom
orbisai0security:fix-fix-validate-required-block-height-input

Conversation

@orbisai0security
Copy link
Copy Markdown

@orbisai0security orbisai0security commented Apr 20, 2026

Summary

Fix high severity security issue in crates/fuel-core/src/graphql_api/extensions/required_fuel_block_height.rs.

Vulnerability

Field Value
ID V-001
Severity HIGH
Scanner multi_agent_ai
Rule V-001
File crates/fuel-core/src/graphql_api/extensions/required_fuel_block_height.rs:197

Description: At required_fuel_block_height.rs:197, external request data is injected into the GraphQL request context via request.data(view). The 'view' object is constructed from request-derived data and injected into the trust boundary of the GraphQL execution context. If the view is derived from attacker-controlled input (e.g., HTTP headers specifying a required block height) without sufficient server-side validation, an attacker can tamper with the block height context used for request processing.

Changes

  • crates/fuel-core/src/graphql_api/extensions/required_fuel_block_height.rs

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

Automated security fix by OrbisAI Security

@orbisai0security
fix: V-001 security vulnerability
2021cc5 
Automated security fix generated by Orbis Security AI
@cursor
Copy link
Copy Markdown

cursor Bot commented Apr 20, 2026
edited
Loading

PR Summary

Medium Risk
Behavior changes from silently clamping/ignoring invalid required_fuel_block_height values to returning GraphQL errors, which could affect clients relying on previous permissive parsing. The change is localized to request precondition handling but sits on the GraphQL request path.

Overview
Tightens validation of the required_fuel_block_height request extension so invalid inputs no longer silently pass.

get_required_height now returns ServerResult<Option<BlockHeight>> and fails fast with clear ServerErrors when the value is non-integer/negative or exceeds u32::MAX, and prepare_request propagates these errors instead of defaulting to u32::MAX/None.

Reviewed by Cursor Bugbot for commit 2021cc5. Bugbot is set up for automated code reviews on this repo. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xgreenx xgreenx Awaiting requested review from xgreenx xgreenx is a code owner

@Dentosal Dentosal Awaiting requested review from Dentosal Dentosal is a code owner

@MitchTurner MitchTurner Awaiting requested review from MitchTurner MitchTurner is a code owner

Assignees

No one assigned

Labels

cla:signed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@orbisai0security