chore: Safe JSON RPC server and client #9656
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ludamad
reviewed
Nov 1, 2024
| if (res.error) { | ||
| throw res.error; | ||
| } | ||
| // TODO: Why check for string null and undefined? |
There was a problem hiding this comment.
Why check for string null and undefined?
I don't see any reason to
ludamad
reviewed
Nov 1, 2024
| it('calls an RPC function that throws an error', async () => { | ||
| const response = await send({ method: 'fail', params: [] }); | ||
| expectError(response, 500, 'Test state failed'); | ||
| }); |
ludamad
reviewed
Nov 1, 2024
| await next(); | ||
| } catch (err: any) { | ||
| this.log.error(err); | ||
| if (err instanceof SyntaxError) { |
There was a problem hiding this comment.
One wishlist item for me would be a request ID that is used to log this error so that it can be easily correlated from the tx bot e.g. side
There was a problem hiding this comment.
Not just for you: https://hackmd.io/@aztec-network/rkebFFEhA?type=view#Tracing-requests
ludamad
approved these changes
Nov 1, 2024
spalladino
added a commit
that referenced
this pull request
Nov 10, 2024
**Adds schemas for every API.** Every API exposed via JSON RPC now requires a zod schema (see #9656 for more context on the rationale for this change). All schemas are in `circuit-types/interfaces`, and look like: https://github.com/AztecProtocol/aztec-packages/blob/3e78ec721285fcd533cff61329a8e156958e2d65/yarn-project/circuit-types/src/interfaces/prover-node.ts#L33-L45 These schemas are type-checked against the interface via the `ApiSchemaFor` utility type, so if the interface changes, schemas are required by the compiler to change as well. Schemas are now used in the JSON RPC server to 1) identify which methods are exposed (so we no longer need the method disallowlist) and 2) parse their arguments. The JSON RPC server, once it has identified the method to be called, grabs the arguments schema and funnels the result of a vanilla JSON parse through it. Every type or struct that is exposed via an interface now has an associated schema, which is referenced in the API for parsing. Schemas both validate input and hydrate instances. This means that we no longer set a `type` property to identify how to hydrate each object in a request during deserialization, which was a security risk. https://github.com/AztecProtocol/aztec-packages/blob/3e78ec721285fcd533cff61329a8e156958e2d65/yarn-project/circuit-types/src/l2_block.ts#L24-L32 Schemas are also used in the JSON RPC client for deserializing the result types. Again, this lets us remove the `type` parameter from all serialized entities, though this is still present in since it is required by the `TypeRegistry` (still to be removed) which is only used in the snapshot manager. All schemas are tested via mini integration tests. These tests define a mock implementation for each service, use it for setting up a JSON RPC server, starting it in a free port, and test calling every method through JSON RPC. https://github.com/AztecProtocol/aztec-packages/blob/3e78ec721285fcd533cff61329a8e156958e2d65/yarn-project/circuit-types/src/interfaces/prover-node.test.ts#L12-L31 These changes prompted other changes. For instance, we introduced the following changes to APIs: - `ProvingJobSource.rejectProvingJob` now accepts a reason `string` instead of an `Error` type - `PXE.getEvents(type)` is removed in favor of `PXE.getEncryptedEvents` and `PXE.getUnencryptedEvents` since both methods required different arguments We also removed service-management methods (ie `stop`) from interfaces. We were inadvertently calling `stop` on remote instances over http when we shouldn't have. We also typed some previously untyped interfaces, such as the TXE's. Fixes #9455
|
Lovely PR writeup! Thanks |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Current situation
What was wrong with our way of exposing our APIs over JSON RPC? First of all, the JsonRpcServer defaulted to exporting every method on the underlying handler, including those flagged as private in ts (though js-private like #method were safe). While we had a blacklist, it's safer to be explicit on what to expose.
Then, argument deserialization was handled based on client inputs exclusively, allowing to target any class registered in the RPC interface. This means a method expecting an instance of class A as an argument, could just be fed an instance of B by its caller.
Deserialization itself was also unchecked. Most fromJSON methods did not validate any of their inputs, just assuming the any input object matched the expected shape. Primitive arguments to functions were also unchecked, so a caller could eg pass a number where a string was expected.
Other unrelated issues included often forgetting to register a class for (de)serialization in the rpc server, or forgetting to type all API return types as async (if they are over an RPC interface, calling any method should be async!).
These issues all affected the client as well. Though security is not so much of an issue on the client, lack of validation could indeed cause bugs by querying a server with a mismatching version.
Proposed fix
We introduce a pair of "safe" JSON rpc client and server abstractions, that consume a schema along with a handler. The schema leverages
zodfor validating all inputs (in the case of the server) and outputs (in the case of the client) and defining the exact set of methods that are exposed. Schemas are type-checked against the interface, so a change in the interface will trigger tsc to alert us to change the schemas as well.As a side effect of this change, since each method now knows what it should be deserializing, we can kill much of the custom logic for (de)serialization, such as the string and class converters, and just rely on vanilla json serialization. Each class that we intend to pass through the wire should expose a static zod schema used for both validation and hydration, and a
toJSONmethod that is used for serialization:Then the API is defined as a plain interface:
With its corresponding schema:
Scope of this PR
This PR introduces the new safe json rpc client and server abstractions, but does not yet enable them. All
startmethods still use the old flavors. Upcoming PRs will add schemas for all our public interfaces and make the switch.