THREAT - Frontend create form didn't check for the maximum length of the form

[chenchanglew]

Scenario

When creating a form, an operator/admin got a choice to select the “text” option, however the text option maxlength doesn't have a limit, which means a malicious user can create a huge form. And this will increase the load of the node & server when they encoded the cast vote. Since all encrypted ballots should be the same length to avoid leakage, thus the frontend will pad the ballot before the encryption. Thus with a huge form created it will increase the load of the node & server to process the result even if the vote size itself is small. This will potentially be a denial of service attack.

Source

Frontend create form

Frontend encoded ballot

  // add padding if necessary until encodedBallot.length == ballotSize
  if (encodedBallotSize < ballotSize) {
    const padding = new ShortUniqueId({ length: ballotSize - encodedBallotSize });
    encodedBallot += padding();
  }

Breaking Property

Availability

Risk

CVSS Score: 4.5/10

Mitigation

This can be mitigated by setting a maximum size of ballot for each form.
(Note this will also need to check in the smart contract because we will not trust the request from end-user)

Target

add check-in frontend and smart contract for the maximum length of the form.
add unit-test to test related issue.