From 7516aff2202d005309f7e97449cfe601b434d227 Mon Sep 17 00:00:00 2001
From: parthshah1 <parthhshah171@gmail.com>
Date: Sun, 10 Mar 2024 18:43:45 -0700
Subject: [PATCH] fix: api: Length check the array sent to eth_feeHistory RPC
 (#11696)

Co-authored-by: Rod Vagg <rod@vagg.org>
Co-authored-by: Steven Allen <steven@stebalien.com>
---
 node/impl/full/eth.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/node/impl/full/eth.go b/node/impl/full/eth.go
index 5c3ab316562..031a8360561 100644
--- a/node/impl/full/eth.go
+++ b/node/impl/full/eth.go
@@ -41,6 +41,8 @@ import (
 
 var ErrUnsupported = errors.New("unsupported method")
 
+const maxEthFeeHistoryRewardPercentiles = 100
+
 type EthModuleAPI interface {
 	EthBlockNumber(ctx context.Context) (ethtypes.EthUint64, error)
 	EthAccounts(ctx context.Context) ([]ethtypes.EthAddress, error)
@@ -689,6 +691,9 @@ func (a *EthModule) EthFeeHistory(ctx context.Context, p jsonrpc.RawParams) (eth
 	}
 	rewardPercentiles := make([]float64, 0)
 	if params.RewardPercentiles != nil {
+		if len(*params.RewardPercentiles) > maxEthFeeHistoryRewardPercentiles {
+			return ethtypes.EthFeeHistory{}, errors.New("length of the reward percentile array cannot be greater than 100")
+		}
 		rewardPercentiles = append(rewardPercentiles, *params.RewardPercentiles...)
 	}
 	for i, rp := range rewardPercentiles {