Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug v1.16.0-rc1 (stable2409) RPC call is unsafe to be called externally #5677

Closed
2 tasks done
BulatSaif opened this issue Sep 11, 2024 · 2 comments · Fixed by #5678
Closed
2 tasks done

Bug v1.16.0-rc1 (stable2409) RPC call is unsafe to be called externally #5677

BulatSaif opened this issue Sep 11, 2024 · 2 comments · Fixed by #5678
Labels
I2-bug The node fails to follow expected behavior. I10-unconfirmed Issue might be valid, but it's not yet known.

Comments

@BulatSaif
Copy link
Contributor

Is there an existing issue?

  • I have searched the existing issues

Experiencing problems? Have you tried our Stack Exchange first?

  • This is not a support question.

Description of bug

Before polkadot:v1.16.0, unsafe RPC methods were exposed by default if the RPC was open to localhost. This behavior has changed (accidentally?), but the help documentation has not been updated.

docker run -it --rm -p 9944:9944  parity/polkadot:v1.16.0-rc1 --help | grep -A 10 rpc-methods
      --rpc-methods <METHOD SET>
          RPC methods to expose.
          
          [default: auto]

          Possible values:
          - auto:   Expose every RPC method only when RPC is listening on `localhost`, otherwise
            serve only safe RPC methods
          - safe:   Allow only a safe subset of RPC methods
          - unsafe: Expose every RPC method (even potentially unsafe ones)

Example:

docker run -it --rm -p 9944:9944  parity/polkadot:v1.16.0-rc1  --chain rococo-local 
Starting binary polkadot
2024-09-11 12:08:23 Parity Polkadot    
2024-09-11 12:08:23 ✌️  version 1.16.0-a427d8fb677    
2024-09-11 12:08:23 ❤️  by Parity Technologies <admin@parity.io>, 2017-2024    
2024-09-11 12:08:23 📋 Chain specification: Rococo Local Testnet    
...
2024-09-11 12:08:30 Running JSON-RPC server: addr=127.0.0.1:9944, 

curl -H "Content-Type: application/json" --data '{ "jsonrpc":"2.0", "method":"author_hasKey", "params":["0x11","aura"],"id":1 }' localhost:9944
{"jsonrpc":"2.0","id":1,"error":{"code":-32601,"message":"RPC call is unsafe to be called externally"}}

Workaround:
set rpc-methods manually .

--rpc-methods=unsafe

Steps to reproduce

On host:

docker run -it --rm -p 9944:9944  parity/polkadot:v1.16.0-rc1 --chain rococo-local
docker exec -it -u 0 CONTAINER_ID bash

Inside the container, run any unsafe rpc (you can install curl or use the bash script below):

pcurl() { exec 4<>/dev/tcp/127.0.0.1/9944 && echo -e 'POST / HTTP/1.1\nHost: 127.0.0.1:9944\nContent-Type: application/json\nContent-Length: '$(echo -n $1| wc -c)'\n\n'$1'0x0'  >&4 && cat <&4 ; }
pcurl '{ "jsonrpc":"2.0", "method":"author_hasKey", "params":["0x1","aura"],"id":1 }'
#Output:
  {"jsonrpc":"2.0","id":1,"error":{"code":-32601,"message":"RPC call is unsafe to be called externally"}}HTTP/1.1

It is important to run curl inside of the container, to have same network.

Expected behavior:

docker run -it --rm -p 9944:9944  parity/polkadot:v1.15.2 --chain rococo-local
pcurl '{ "jsonrpc":"2.0", "method":"author_hasKey", "params":["0x1","aura"],"id":1 }'
#Output:
     {"jsonrpc":"2.0","result":false,"id":1}HTTP/1.1
@BulatSaif BulatSaif added I2-bug The node fails to follow expected behavior. I10-unconfirmed Issue might be valid, but it's not yet known. labels Sep 11, 2024
@BulatSaif BulatSaif mentioned this issue Sep 11, 2024
Closed
@ggwpez
Copy link
Member

ggwpez commented Sep 11, 2024
edited
Loading

Maybe this one #4792 ? @niklasad1 do you know if this here is desired behaviour or not?

@niklasad1
Copy link
Member

niklasad1 commented Sep 11, 2024
edited
Loading

It wasn't intended to break this, lemme check

Thanks Bulat, I have opened a PR to fix this

niklasad1 added a commit that referenced this issue Sep 11, 2024
@niklasad1
fix(rpc server): auto -> allow localhost conns
a7f0455 
Close #5677
@niklasad1 niklasad1 mentioned this issue Sep 11, 2024
Merged
github-merge-queue bot pushed a commit that referenced this issue Sep 11, 2024
@niklasad1 @ggwpez
rpc server: fix deny unsafe on RpcMethods::Auto (#5678)
4e7c9e7 
Close #5677

I made a nit when I moved this code:
https://github.com/paritytech/polkadot-sdk/blob/v1.14.0-rc1/substrate/client/service/src/lib.rs#L379-#L385
in #4792

Thus:
 - (ip.is_loopback(), RpcMethods::Auto) -> allow unsafe
 - (!ip.is_loopback(), RpcMethods::Auto) -> deny unsafe

---------

Co-authored-by: ggwpez <ggwpez@users.noreply.github.com>
niklasad1 added a commit that referenced this issue Sep 12, 2024
@niklasad1 @ggwpez
rpc server: fix deny unsafe on RpcMethods::Auto (#5678)
814cd3d 
Close #5677

I made a nit when I moved this code:
https://github.com/paritytech/polkadot-sdk/blob/v1.14.0-rc1/substrate/client/service/src/lib.rs#L379-#L385
in #4792

Thus:
 - (ip.is_loopback(), RpcMethods::Auto) -> allow unsafe
 - (!ip.is_loopback(), RpcMethods::Auto) -> deny unsafe

---------

Co-authored-by: ggwpez <ggwpez@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
I2-bug The node fails to follow expected behavior. I10-unconfirmed Issue might be valid, but it's not yet known.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

rpc server: fix deny unsafe on RpcMethods::Auto paritytech/polkadot-sdk
3 participants
@ggwpez @niklasad1 @BulatSaif