Deny unknown fields on RPC Request and Response

[sudo-shashank]

Summary of changes

Changes introduced in this pull request:

• Reject unknown fields in RPC request parameters and response payloads when FOREST_STRICT_JSON is enabled.

Reference issue to close (if applicable)

Closes #5600
Closes #5635

Other information and links

Change checklist

• I have performed a self-review of my own code,
• I have made corresponding changes to the documentation. All new code adheres to the team's documentation standards,
• I have added tests that prove my fix is effective or that my feature works (if possible),
• I have made sure the CHANGELOG is up-to-date. All user-facing changes should be reflected in this document.

Outside contributions

• I have read and agree to the CONTRIBUTING document.
• I have read and agree to the AI Policy document. I understand that failure to comply with the guidelines will lead to rejection of the pull request.

Summary by CodeRabbit

New Features

• Enhanced strict JSON validation: when FOREST_STRICT_JSON is enabled, RPC request parameters and response results now reject unknown fields in addition to duplicate keys.

Documentation

• Updated environment variable documentation to reflect expanded strict JSON validation capabilities.

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 39079ae8-3b2d-4ebc-abd2-190da18d49c4

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch shashank/deny-unknown-fields-rpc

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch shashank/deny-unknown-fields-rpc

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@CHANGELOG.md`:
- Line 32: Update the CHANGELOG entry that currently references the PR number
[`#6926`] to reference the tracked issue numbers instead; replace the PR link and
label with the issue reference(s) [`#5600`] and/or [`#5635`] and the corresponding
issue URL(s) while keeping the rest of the description unchanged ("Added strict
JSON validation to deny unknown fields in RPC request parameters and response
results when `FOREST_STRICT_JSON` is enabled."); edit the exact line that
contains the current "- [`#6926`](...): ..." entry so the format matches other
changelog entries (use [`#ISSUE_NO`](link-to-issue): <description>).

In `@src/rpc/reflect/mod.rs`:
- Around line 278-285: The current validation only re-serializes Forest's own
LotusJson before returning; to actually reject unknown fields from remote nodes
update RpcMethodExt::call_raw to validate the incoming JSON payload using
crate::rpc::json_validator::from_value_rejecting_unknown_fields (into the
<Self::Ok as HasLotusJson>::LotusJson type) instead of using plain
serde_json::from_value, so the client.call(...) result is passed through
from_value_rejecting_unknown_fields (honoring FOREST_STRICT_JSON behavior) and
any unknown fields cause an error.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 9e9c365b-6589-49ef-96e3-d17f624df0ce

📥 Commits

Reviewing files that changed from the base of the PR and between 09376b7 and b48816d.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (6)

• CHANGELOG.md
• Cargo.toml
• docs/docs/users/reference/env_variables.md
• src/rpc/json_validator.rs
• src/rpc/reflect/mod.rs
• src/rpc/reflect/parser.rs

[coderabbitai]

⚠️ Potential issue | 🟠 Major

This doesn't validate incoming RPC responses.

The round-trip here only self-checks Forest's own LotusJson before returning it. Line 360 in RpcMethodExt::call_raw still deserializes remote payloads with plain serde_json::from_value(json), so extra fields from Lotus/other nodes will continue to bypass FOREST_STRICT_JSON.

Possible fix

fn call_raw(
    client: &crate::rpc::client::Client,
    params: Self::Params,
) -> impl Future<Output = Result<<Self::Ok as HasLotusJson>::LotusJson, jsonrpsee::core::ClientError>>
{
    async {
        let json = client.call(Self::request(params)?.map_ty()).await?;
        Ok(crate::rpc::json_validator::from_value_rejecting_unknown_fields(json)?)
    }
}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@src/rpc/reflect/mod.rs` around lines 278 - 285, The current validation only
re-serializes Forest's own LotusJson before returning; to actually reject
unknown fields from remote nodes update RpcMethodExt::call_raw to validate the
incoming JSON payload using
crate::rpc::json_validator::from_value_rejecting_unknown_fields (into the
<Self::Ok as HasLotusJson>::LotusJson type) instead of using plain
serde_json::from_value, so the client.call(...) result is passed through
from_value_rejecting_unknown_fields (honoring FOREST_STRICT_JSON behavior) and
any unknown fields cause an error.