Guard against XCM recursive bombs by setting a recursion limit

Cargo.toml

@@ -39,6 +39,7 @@ members = [
 	"xcm",
 	"xcm/xcm-builder",
 	"xcm/xcm-executor",
+	"xcm/xcm-executor/integration-tests",
 	"xcm/xcm-simulator",
 	"xcm/xcm-simulator/example",
 	"xcm/pallet-xcm",

runtime/parachains/src/ump.rs

@@ -84,14 +84,18 @@ impl<XcmExecutor: xcm::v0::ExecuteXcm<C::Call>, C: Config> UmpSink for XcmSink<X
 		data: &[u8],
 		max_weight: Weight,
 	) -> Result<Weight, (MessageId, Weight)> {
+		use parity_scale_codec::DecodeLimit;
 		use xcm::{
 			v0::{Error as XcmError, Junction, MultiLocation, Xcm},
 			VersionedXcm,
 		};
 
 		let id = sp_io::hashing::blake2_256(&data[..]);
-		let maybe_msg =
-			VersionedXcm::<C::Call>::decode(&mut &data[..]).map(Xcm::<C::Call>::try_from);
+		let maybe_msg = VersionedXcm::<C::Call>::decode_all_with_depth_limit(
+			xcm::MAX_XCM_DECODE_DEPTH,
+			&mut &data[..],
+		)
+		.map(Xcm::<C::Call>::try_from);
 		match maybe_msg {
 			Err(_) => {
 				Pallet::<C>::deposit_event(Event::InvalidFormat(id));

runtime/test-runtime/Cargo.toml

@@ -55,8 +55,12 @@ pallet-vesting = { git = "https://github.com/paritytech/substrate", branch = "ma
 
 runtime-common = { package = "polkadot-runtime-common", path = "../common", default-features = false }
 primitives = { package = "polkadot-primitives", path = "../../primitives", default-features = false }
+pallet-xcm = { path = "../../xcm/pallet-xcm", default-features = false }
 polkadot-parachain = { path = "../../parachain", default-features = false }
 polkadot-runtime-parachains = { path = "../parachains", default-features = false }
+xcm-builder = { path = "../../xcm/xcm-builder", default-features = false }
+xcm-executor = { path = "../../xcm/xcm-executor", default-features = false }
+xcm = { path = "../../xcm", default-features = false }
 
 [dev-dependencies]
 hex-literal = "0.3.1"
@@ -82,6 +86,10 @@ std = [
 	"inherents/std",
 	"sp-core/std",
 	"polkadot-parachain/std",
+	"pallet-xcm/std",
+	"xcm-builder/std",
+	"xcm-executor/std",
+	"xcm/std",
 	"sp-api/std",
 	"tx-pool-api/std",
 	"block-builder-api/std",

runtime/test-runtime/src/lib.rs

@@ -79,6 +79,7 @@ pub use sp_runtime::BuildStorage;
 
 /// Constant values used within the runtime.
 pub mod constants;
+pub mod xcm_config;
 use constants::{currency::*, fee::*, time::*};
 
 // Make the WASM binary available.
@@ -488,6 +489,31 @@ impl parachains_ump::Config for Runtime {
 	type FirstMessageFactorPercent = FirstMessageFactorPercent;
 }
 
+parameter_types! {
+	pub const BaseXcmWeight: frame_support::weights::Weight = 1_000;
+	pub const AnyNetwork: xcm::v0::NetworkId = xcm::v0::NetworkId::Any;
+}
+
+pub type LocalOriginToLocation = xcm_builder::SignedToAccountId32<Origin, AccountId, AnyNetwork>;
+
+impl pallet_xcm::Config for Runtime {
+	// The config types here are entirely configurable, since the only one that is sorely needed
+	// is `XcmExecutor`, which will be used in unit tests located in xcm-executor.
+	type Event = Event;
+	type ExecuteXcmOrigin = xcm_config::ConvertOriginToLocal;
+	type LocationInverter = xcm_config::InvertNothing;
+	type SendXcmOrigin = xcm_config::ConvertOriginToLocal;
+	type Weigher = xcm_builder::FixedWeightBounds<BaseXcmWeight, Call>;
+	type XcmRouter = xcm_config::DoNothingRouter;
+	type XcmExecuteFilter =
+		frame_support::traits::All<(xcm::v0::MultiLocation, xcm::v0::Xcm<Call>)>;
+	type XcmExecutor = xcm_executor::XcmExecutor<xcm_config::XcmConfig>;
+	type XcmTeleportFilter =
+		frame_support::traits::All<(xcm::v0::MultiLocation, Vec<xcm::v0::MultiAsset>)>;
+	type XcmReserveTransferFilter =
+		frame_support::traits::All<(xcm::v0::MultiLocation, Vec<xcm::v0::MultiAsset>)>;
+}
+
 impl parachains_hrmp::Config for Runtime {
 	type Event = Event;
 	type Origin = Origin;
@@ -543,6 +569,7 @@ construct_runtime! {
 		Hrmp: parachains_hrmp::{Pallet, Call, Storage, Event<T>},
 		Ump: parachains_ump::{Pallet, Call, Storage, Event},
 		Dmp: parachains_dmp::{Pallet, Call, Storage},
+		Xcm: pallet_xcm::{Pallet, Call, Event<T>, Origin},
 		ParasDisputes: parachains_disputes::{Pallet, Storage, Event<T>},
 
 		Sudo: pallet_sudo::{Pallet, Call, Storage, Config<T>, Event<T>},

runtime/test-runtime/src/xcm_config.rs

@@ -0,0 +1,88 @@
+// Copyright 2021 Parity Technologies (UK) Ltd.
+// This file is part of Polkadot.
+
+// Polkadot is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// Polkadot is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with Polkadot.  If not, see <http://www.gnu.org/licenses/>.
+
+use frame_support::{
+	traits::{All, EnsureOrigin, OriginTrait},
+	weights::Weight,
+};
+use xcm::v0::{Error as XcmError, MultiAsset, MultiLocation, Result as XcmResult, SendXcm, Xcm};
+use xcm_builder::{AllowUnpaidExecutionFrom, FixedWeightBounds};
+use xcm_executor::{
+	traits::{InvertLocation, TransactAsset, WeightTrader},
+	Assets,
+};
+
+pub struct ConvertOriginToLocal;
+impl<Origin: OriginTrait> EnsureOrigin<Origin> for ConvertOriginToLocal {
+	type Success = MultiLocation;
+
+	fn try_origin(_: Origin) -> Result<MultiLocation, Origin> {
+		Ok(MultiLocation::Null)
+	}
+}
+
+pub struct DoNothingRouter;
+impl SendXcm for DoNothingRouter {
+	fn send_xcm(_dest: MultiLocation, _msg: Xcm<()>) -> XcmResult {
+		Ok(())
+	}
+}
+
+pub type Barrier = AllowUnpaidExecutionFrom<All<MultiLocation>>;
+
+pub struct DummyAssetTransactor;
+impl TransactAsset for DummyAssetTransactor {
+	fn deposit_asset(_what: &MultiAsset, _who: &MultiLocation) -> XcmResult {
+		Ok(())
+	}
+
+	fn withdraw_asset(_what: &MultiAsset, _who: &MultiLocation) -> Result<Assets, XcmError> {
+		Ok(Assets::default())
+	}
+}
+
+pub struct DummyWeightTrader;
+impl WeightTrader for DummyWeightTrader {
+	fn new() -> Self {
+		DummyWeightTrader
+	}
+
+	fn buy_weight(&mut self, _weight: Weight, _payment: Assets) -> Result<Assets, XcmError> {
+		Ok(Assets::default())
+	}
+}
+
+pub struct InvertNothing;
+impl InvertLocation for InvertNothing {
+	fn invert_location(_: &MultiLocation) -> MultiLocation {
+		MultiLocation::Null
+	}
+}
+
+pub struct XcmConfig;
+impl xcm_executor::Config for XcmConfig {
+	type Call = super::Call;
+	type XcmSender = DoNothingRouter;
+	type AssetTransactor = DummyAssetTransactor;
+	type OriginConverter = pallet_xcm::XcmPassthrough<super::Origin>;
+	type IsReserve = ();
+	type IsTeleporter = ();
+	type LocationInverter = InvertNothing;
+	type Barrier = Barrier;
+	type Weigher = FixedWeightBounds<super::BaseXcmWeight, super::Call>;
+	type Trader = DummyWeightTrader;
+	type ResponseHandler = ();
+}

xcm/src/double_encoded.rs

@@ -14,12 +14,10 @@
 // You should have received a copy of the GNU General Public License
 // along with Polkadot.  If not, see <http://www.gnu.org/licenses/>.
 
+use crate::MAX_XCM_DECODE_DEPTH;
 use alloc::vec::Vec;
 use parity_scale_codec::{Decode, DecodeLimit, Encode};
 
-/// Maximum nesting level for XCM decoding.
-pub const MAX_XCM_DECODE_DEPTH: u32 = 8;
-
 /// Wrapper around the encoded and decoded versions of a value.
 /// Caches the decoded value once computed.
 #[derive(Encode, Decode)]

xcm/src/lib.rs

@@ -31,6 +31,9 @@ pub mod v0;
 mod double_encoded;
 pub use double_encoded::DoubleEncoded;
 
+/// Maximum nesting level for XCM decoding.
+pub const MAX_XCM_DECODE_DEPTH: u32 = 8;
+
 /// A single XCM message, together with its version code.
 #[derive(Derivative, Encode, Decode)]
 #[derivative(Clone(bound = ""), Eq(bound = ""), PartialEq(bound = ""), Debug(bound = ""))]

xcm/src/v0/traits.rs

@@ -87,6 +87,8 @@ pub enum Error {
 	TooExpensive,
 	/// The given asset is not handled.
 	AssetNotFound,
+	/// `execute_xcm` has been called too many times recursively.
+	RecursionLimitReached,
 }
 
 impl From<()> for Error {

xcm/xcm-executor/integration-tests/Cargo.toml

@@ -0,0 +1,30 @@
+[package]
+authors = ["Parity Technologies <admin@parity.io>"]
+edition = "2018"
+name = "xcm-executor-integration-tests"
+description = "Integration tests for the XCM Executor"
+version = "0.9.9"
+
+[dependencies]
+frame-support = { git = "https://github.com/paritytech/substrate", branch = "master", default-features = false }
+frame-system = { git = "https://github.com/paritytech/substrate", branch = "master" }
+futures = "0.3.15"
+pallet-xcm = { path = "../../pallet-xcm" }
+polkadot-test-client = { path = "../../../node/test/client" }
+polkadot-test-runtime = { path = "../../../runtime/test-runtime" }
+polkadot-test-service = { path = "../../../node/test/service" }
+sp-consensus = { git = "https://github.com/paritytech/substrate", branch = "master" }
+sp-keyring = { git = "https://github.com/paritytech/substrate", branch = "master" }
+sp-runtime = { git = "https://github.com/paritytech/substrate", branch = "master", default-features = false }
+sp-state-machine = { git = "https://github.com/paritytech/substrate", branch = "master" }
+xcm = { path = "../..", default-features = false }
+xcm-executor = { path = ".." }
+sp-tracing = { git = "https://github.com/paritytech/substrate", branch = "master" }
+
+[features]
+default = ["std"]
+std = [
+	"xcm/std",
+	"sp-runtime/std",
+	"frame-support/std",
+]