Merge pull request #745 from paupino/borsh-validation

Tony-Samuels · web-flow · commit cd0ffacd3bc1 · 2025-09-08T17:36:36.000+01:00
add validation to borsh deser
diff --git a/src/borsh.rs b/src/borsh.rs
@@ -0,0 +1,40 @@
+use std::io;
+
+use borsh::BorshDeserialize;
+
+use crate::{
+    Decimal, Error,
+    constants::{SCALE_MASK, SCALE_SHIFT, SIGN_MASK},
+};
+
+impl borsh::BorshDeserialize for Decimal {
+    /// An implementation of [`BorshDeserialize`] that checks the received data to ensure it's a
+    /// valid instance of [`Self`].
+    fn deserialize_reader<__R: io::Read>(reader: &mut __R) -> Result<Self, io::Error> {
+        const FLAG_MASK: u32 = SCALE_MASK | SIGN_MASK;
+
+        let flags: u32 = BorshDeserialize::deserialize_reader(reader)?;
+        if flags & FLAG_MASK != flags {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidData,
+                "Invalid flag representation",
+            ));
+        }
+
+        let negative = flags & SIGN_MASK != 0;
+
+        let scale = (flags & SCALE_MASK) >> SCALE_SHIFT;
+        if scale > Self::MAX_SCALE {
+            return Err(io::Error::new(
+                io::ErrorKind::InvalidData,
+                Error::ScaleExceedsMaximumPrecision(scale),
+            ));
+        }
+
+        let hi = BorshDeserialize::deserialize_reader(reader)?;
+        let lo = BorshDeserialize::deserialize_reader(reader)?;
+        let mid = BorshDeserialize::deserialize_reader(reader)?;
+
+        Ok(Self::from_parts(lo, mid, hi, negative, scale))
+    }
+}
diff --git a/src/decimal.rs b/src/decimal.rs
@@ -117,10 +117,9 @@ impl From<UnpackedDecimal> for Decimal {
 #[cfg_attr(feature = "diesel", derive(FromSqlRow, AsExpression), diesel(sql_type = Numeric))]
 #[cfg_attr(feature = "c-repr", repr(C))]
 #[cfg_attr(feature = "align16", repr(align(16)))]
-#[cfg_attr(
-    feature = "borsh",
-    derive(borsh::BorshDeserialize, borsh::BorshSerialize, borsh::BorshSchema)
-)]
+// [`borsh::BorshDeserialize`] is implemented manually so that the result can be checked to be a
+// valid instance of [`Self`].
+#[cfg_attr(feature = "borsh", derive(borsh::BorshSerialize, borsh::BorshSchema))]
 #[cfg_attr(
     feature = "rkyv",
     derive(Archive, Deserialize, Serialize),
diff --git a/src/lib.rs b/src/lib.rs
@@ -14,6 +14,8 @@ pub mod str;
 // We purposely place this here for documentation ordering
 mod arithmetic_impls;
 
+#[cfg(feature = "borsh")]
+mod borsh;
 #[cfg(feature = "rust-fuzz")]
 mod fuzz;
 #[cfg(feature = "maths")]
diff --git a/tests/decimal_tests.rs b/tests/decimal_tests.rs
@@ -138,9 +138,10 @@ fn it_can_serialize_deserialize() {
 
 #[cfg(feature = "borsh")]
 mod borsh_tests {
-    use rust_decimal::Decimal;
     use std::str::FromStr;
 
+    use rust_decimal::Decimal;
+
     #[test]
     fn it_can_serialize_deserialize_borsh() {
         let tests = [
@@ -163,6 +164,42 @@ mod borsh_tests {
             assert_eq!(test.to_string(), b.to_string());
         }
     }
+
+    #[test]
+    fn invalid_flags_errors() {
+        let mut bytes: Vec<u8> = Vec::new();
+        // Invalid flags
+        borsh::BorshSerialize::serialize(&u32::MAX, &mut bytes).unwrap();
+        // high
+        borsh::BorshSerialize::serialize(&u32::MAX, &mut bytes).unwrap();
+        // lo
+        borsh::BorshSerialize::serialize(&u32::MAX, &mut bytes).unwrap();
+        // mid
+        borsh::BorshSerialize::serialize(&u32::MAX, &mut bytes).unwrap();
+
+        let _err =
+            <Decimal as borsh::BorshDeserialize>::deserialize(&mut bytes.as_slice()).expect_err("Invalid flags passed");
+    }
+
+    #[test]
+    fn invalid_scale_errors() {
+        let mut bytes: Vec<u8> = Vec::new();
+        // Invalid scale
+        borsh::BorshSerialize::serialize(&0x00FF_0000_u32, &mut bytes).unwrap();
+        // high
+        borsh::BorshSerialize::serialize(&u32::MAX, &mut bytes).unwrap();
+        // lo
+        borsh::BorshSerialize::serialize(&u32::MAX, &mut bytes).unwrap();
+        // mid
+        borsh::BorshSerialize::serialize(&u32::MAX, &mut bytes).unwrap();
+
+        let err =
+            <Decimal as borsh::BorshDeserialize>::deserialize(&mut bytes.as_slice()).expect_err("Invalid scale passed");
+        assert_eq!(
+            err.downcast::<rust_decimal::Error>().expect("Expected str flags error"),
+            rust_decimal::Error::ScaleExceedsMaximumPrecision(0xFF)
+        );
+    }
 }
 
 #[cfg(feature = "ndarray")]
