add security fixes

Author: gregnazario

crates/aptos-rust-sdk-v2/src/account/multi_ed25519.rs

@@ -377,6 +377,8 @@ impl Account for MultiEd25519Account {
 
 impl fmt::Debug for MultiEd25519Account {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        // SECURITY: Intentionally omit private_keys to prevent secret leakage
+        // in logs, panic messages, or debug output
         f.debug_struct("MultiEd25519Account")
             .field("address", &self.address)
             .field(
@@ -389,7 +391,7 @@ impl fmt::Debug for MultiEd25519Account {
                 ),
             )
             .field("public_key", &self.public_key)
-            .field("private_keys", &self.private_keys)
+            .field("private_keys", &"[REDACTED]")
             .finish()
     }
 }

crates/aptos-rust-sdk-v2/src/account/multi_key.rs

@@ -448,6 +448,8 @@ impl Account for MultiKeyAccount {
 
 impl fmt::Debug for MultiKeyAccount {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        // SECURITY: Intentionally omit private_keys to prevent secret leakage
+        // in logs, panic messages, or debug output
         f.debug_struct("MultiKeyAccount")
             .field("address", &self.address)
             .field(
@@ -461,7 +463,7 @@ impl fmt::Debug for MultiKeyAccount {
             )
             .field("types", &self.key_types())
             .field("public_key", &self.public_key)
-            .field("private_keys", &self.private_keys)
+            .field("private_keys", &"[REDACTED]")
             .finish()
     }
 }

crates/aptos-rust-sdk-v2/src/api/fullnode.rs

@@ -270,6 +270,7 @@ impl FullnodeClient {
         let bcs_bytes = signed_txn.to_bcs()?;
         let client = self.client.clone();
         let retry_config = self.retry_config.clone();
+        let max_response_size = self.config.pool_config().max_response_size;
 
         let executor = RetryExecutor::new((*retry_config).clone());
         executor
@@ -286,7 +287,7 @@ impl FullnodeClient {
                         .send()
                         .await?;
 
-                    Self::handle_response_static(response).await
+                    Self::handle_response_static(response, max_response_size).await
                 }
             })
             .await
@@ -400,6 +401,7 @@ impl FullnodeClient {
         let bcs_bytes = signed_txn.to_bcs()?;
         let client = self.client.clone();
         let retry_config = self.retry_config.clone();
+        let max_response_size = self.config.pool_config().max_response_size;
 
         let executor = RetryExecutor::new((*retry_config).clone());
         executor
@@ -416,7 +418,7 @@ impl FullnodeClient {
                         .send()
                         .await?;
 
-                    Self::handle_response_static(response).await
+                    Self::handle_response_static(response, max_response_size).await
                 }
             })
             .await
@@ -459,6 +461,7 @@ impl FullnodeClient {
 
         let client = self.client.clone();
         let retry_config = self.retry_config.clone();
+        let max_response_size = self.config.pool_config().max_response_size;
 
         let executor = RetryExecutor::new((*retry_config).clone());
         executor
@@ -475,7 +478,7 @@ impl FullnodeClient {
                         .send()
                         .await?;
 
-                    Self::handle_response_static(response).await
+                    Self::handle_response_static(response, max_response_size).await
                 }
             })
             .await
@@ -558,12 +561,17 @@ impl FullnodeClient {
     fn build_url(&self, path: &str) -> Url {
         let mut url = self.config.fullnode_url().clone();
         if !path.is_empty() {
-            // Ensure base path ends with /
-            if !url.path().ends_with('/') {
-                url.set_path(&format!("{}/", url.path()));
+            // Avoid format! allocations by building the path string manually
+            let base_path = url.path();
+            let needs_slash = !base_path.ends_with('/');
+            let new_len = base_path.len() + path.len() + usize::from(needs_slash);
+            let mut new_path = String::with_capacity(new_len);
+            new_path.push_str(base_path);
+            if needs_slash {
+                new_path.push('/');
             }
-            // Append the path segment
-            url.set_path(&format!("{}{}", url.path(), path));
+            new_path.push_str(path);
+            url.set_path(&new_path);
         }
         url
     }
@@ -575,6 +583,7 @@ impl FullnodeClient {
         let client = self.client.clone();
         let url_clone = url.clone();
         let retry_config = self.retry_config.clone();
+        let max_response_size = self.config.pool_config().max_response_size;
 
         let executor = RetryExecutor::new((*retry_config).clone());
         executor
@@ -588,18 +597,39 @@ impl FullnodeClient {
                         .send()
                         .await?;
 
-                    Self::handle_response_static(response).await
+                    Self::handle_response_static(response, max_response_size).await
                 }
             })
             .await
     }
 
     /// Handles an HTTP response without retry (for internal use).
+    ///
+    /// # Security
+    ///
+    /// This method checks the Content-Length header against `max_response_size`
+    /// to prevent memory exhaustion from extremely large responses.
     async fn handle_response_static<T: for<'de> serde::Deserialize<'de>>(
         response: reqwest::Response,
+        max_response_size: usize,
     ) -> AptosResult<AptosResponse<T>> {
         let status = response.status();
 
+        // SECURITY: Check Content-Length to prevent memory exhaustion
+        // This protects against malicious servers sending extremely large responses
+        if let Some(content_length) = response.content_length()
+            && content_length > max_response_size as u64
+        {
+            return Err(AptosError::Api {
+                status_code: status.as_u16(),
+                message: format!(
+                    "response body too large: {content_length} bytes exceeds limit of {max_response_size} bytes"
+                ),
+                error_code: Some("RESPONSE_TOO_LARGE".to_string()),
+                vm_error_code: None,
+            });
+        }
+
         // Extract headers before consuming response body
         let ledger_version = response
             .headers()
@@ -632,6 +662,13 @@ impl FullnodeClient {
             .and_then(|v| v.to_str().ok())
             .map(ToString::to_string);
 
+        // Extract Retry-After header for rate limiting (before consuming body)
+        let retry_after_secs = response
+            .headers()
+            .get("retry-after")
+            .and_then(|v| v.to_str().ok())
+            .and_then(|v| v.parse().ok());
+
         if status.is_success() {
             let data: T = response.json().await?;
             Ok(AptosResponse {
@@ -643,6 +680,10 @@ impl FullnodeClient {
                 oldest_ledger_version,
                 cursor,
             })
+        } else if status.as_u16() == 429 {
+            // SECURITY: Return specific RateLimited error with Retry-After info
+            // This allows callers to respect the server's rate limiting
+            Err(AptosError::RateLimited { retry_after_secs })
         } else {
             let body: serde_json::Value = response.json().await.unwrap_or_default();
             let message = body
@@ -673,7 +714,8 @@ impl FullnodeClient {
         &self,
         response: reqwest::Response,
     ) -> AptosResult<AptosResponse<T>> {
-        Self::handle_response_static(response).await
+        let max_response_size = self.config.pool_config().max_response_size;
+        Self::handle_response_static(response, max_response_size).await
     }
 }
 

crates/aptos-rust-sdk-v2/src/aptos.rs

@@ -213,8 +213,13 @@ impl Aptos {
         sender: &A,
         payload: TransactionPayload,
     ) -> AptosResult<RawTransaction> {
-        let sequence_number = self.get_sequence_number(sender.address()).await?;
-        let gas_estimation = self.fullnode.estimate_gas_price().await?;
+        // Fetch sequence number and gas price in parallel - they're independent
+        let (sequence_number, gas_estimation) = tokio::join!(
+            self.get_sequence_number(sender.address()),
+            self.fullnode.estimate_gas_price()
+        );
+        let sequence_number = sequence_number?;
+        let gas_estimation = gas_estimation?;
 
         TransactionBuilder::new()
             .sender(sender.address())
@@ -542,16 +547,29 @@ impl Aptos {
             .ok_or_else(|| AptosError::FeatureNotEnabled("faucet".into()))?;
         let txn_hashes = faucet.fund(address, amount).await?;
 
-        // Wait for all faucet transactions to be confirmed
-        for hash_str in &txn_hashes {
-            // Hash might have 0x prefix or not
-            let hash_str_clean = hash_str.strip_prefix("0x").unwrap_or(hash_str);
-            if let Ok(hash) = HashValue::from_hex(hash_str_clean) {
-                // Wait for the transaction to be confirmed
+        // Parse hashes first to own them
+        let hashes: Vec<HashValue> = txn_hashes
+            .iter()
+            .filter_map(|hash_str| {
+                // Hash might have 0x prefix or not
+                let hash_str_clean = hash_str.strip_prefix("0x").unwrap_or(hash_str);
+                HashValue::from_hex(hash_str_clean).ok()
+            })
+            .collect();
+
+        // Wait for all faucet transactions to be confirmed in parallel
+        let wait_futures: Vec<_> = hashes
+            .iter()
+            .map(|hash| {
                 self.fullnode
-                    .wait_for_transaction(&hash, Some(Duration::from_secs(60)))
-                    .await?;
-            }
+                    .wait_for_transaction(hash, Some(Duration::from_secs(60)))
+            })
+            .collect();
+
+        // Wait for all transactions in parallel
+        let results = futures::future::join_all(wait_futures).await;
+        for result in results {
+            result?;
         }
 
         Ok(txn_hashes)

crates/aptos-rust-sdk-v2/src/codegen/types.rs

@@ -155,16 +155,17 @@ impl MoveTypeMapper {
 
         // Handle generic struct types (e.g., 0x1::coin::Coin<0x1::aptos_coin::AptosCoin>)
         if move_type.contains("::") {
-            // Extract the struct name for the Rust type
-            let parts: Vec<&str> = move_type.split("::").collect();
-            if parts.len() >= 3 {
-                // Get the base struct name (without generics)
-                let struct_name = parts.last().unwrap();
-                let base_name = struct_name.split('<').next().unwrap_or(struct_name);
-
-                // Create a pascal case name
-                let rust_name = to_pascal_case(base_name);
-                return RustType::new(rust_name).with_doc(format!("Move type: {move_type}"));
+            // Use rsplit to avoid collecting into Vec - we only need the last part
+            let part_count = move_type.matches("::").count() + 1;
+            if part_count >= 3 {
+                // Get the base struct name (without generics) using rsplit
+                if let Some(struct_name) = move_type.rsplit("::").next() {
+                    let base_name = struct_name.split('<').next().unwrap_or(struct_name);
+
+                    // Create a pascal case name
+                    let rust_name = to_pascal_case(base_name);
+                    return RustType::new(rust_name).with_doc(format!("Move type: {move_type}"));
+                }
             }
         }