Improve MsgPack Deserialization Sanitization

[dOrgJelli]

Currently, when msgpack (in WASM or in JS) deserializes a buffer, it does not have sanitization logic for handling unexpected types or malformed data. We need this to happen at run-time because we don't want to run the risk of malformed input data getting sent to a smart contract, making funds at risk.

[mpetrunic]

Don't you already have this? Looking at ReadDecoder it will error on decoding of invalid scalar value?

[dOrgJelli]

Yes you're correct, some cases are already handled. I think we should break this issue into multiple, where each one defines a error case we must handle, and requires tests to be created for that case. Here are the error cases I've thought of so far, some more thought should be put into this:

• Missing Input Arguments (https://github.com/Web3-API/prototype/blob/ebf9b17b3a639b882f670637c276ba7840635641/packages/schema/bind/src/__tests__/cases/sanity/output/wasm-as/Query/serialization.ts#L26-L28)
  • WASM language agnostic tests are required here, so they can be run for all bindings, including newly added ones.
• Missing Required Property (https://github.com/Web3-API/prototype/blob/ebf9b17b3a639b882f670637c276ba7840635641/packages/schema/bind/src/__tests__/cases/sanity/output/wasm-as/CustomType/serialization.ts#L96-L198)
  • Currently, there's not logic for making sure all required properties of an object instance are deserialized. We need to be clever here to make sure this is done efficiently (maybe use a bitmask/bloom of all required props found?).
• Overflows (in all cases, such as this one: https://github.com/Web3-API/prototype/blob/ebf9b17b3a639b882f670637c276ba7840635641/packages/wasm/as/assembly/msgpack/ReadDecoder.ts#L394-L401)

[dOrgJelli]

Created this issue for the remaining work here: #150