From bcd2a127dff727e8d50844d1f4b3791c4f1ec85b Mon Sep 17 00:00:00 2001 From: Andy Pliszka Date: Mon, 9 Sep 2024 16:13:51 -0400 Subject: [PATCH] feat: disables debug server by default --- README.md | 4 ++++ cmd/flags.go | 11 +++++++++++ cmd/start.go | 8 +++++++- 3 files changed, 22 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 48af4767a..3c9d2e5df 100644 --- a/README.md +++ b/README.md @@ -199,6 +199,10 @@ Additional information on how IBC works can be found [here](https://ibc.cosmos.n [[TROUBLESHOOTING](docs/troubleshooting.md)] --- +## Production deployment recomendations + +- Make sure the debug server is disabled in production. + ## Security Notice If you would like to report a security bug related to the relayer repo, diff --git a/cmd/flags.go b/cmd/flags.go index dd284cd48..a0c42d3ef 100644 --- a/cmd/flags.go +++ b/cmd/flags.go @@ -38,6 +38,7 @@ const ( flagDstPort = "dst-port" flagOrder = "order" flagVersion = "version" + flagEnableDebugServer = "enable-debug-server" flagDebugAddr = "debug-addr" flagOverwriteConfig = "overwrite" flagLimit = "limit" @@ -429,6 +430,16 @@ func debugServerFlags(v *viper.Viper, cmd *cobra.Command) *cobra.Command { panic(err) } + cmd.Flags().Bool( + flagEnableDebugServer, + false, + "enables debug server. By default, the debug server is disabled due to security concerns.", + ) + + if err := v.BindPFlag(flagEnableDebugServer, cmd.Flags().Lookup(flagEnableDebugServer)); err != nil { + panic(err) + } + return cmd } diff --git a/cmd/start.go b/cmd/start.go index c508f8732..8e1d38d5d 100644 --- a/cmd/start.go +++ b/cmd/start.go @@ -105,9 +105,15 @@ $ %s start demo-path2 --max-tx-size 10`, appName, appName, appName, appName)), debugAddr = debugAddrFlag } - if debugAddr == "" { + flagEnableDebugServer, err := cmd.Flags().GetBool(flagEnableDebugServer) + if err != nil { + return err + } + + if flagEnableDebugServer == false || debugAddr == "" { a.log.Info("Skipping debug server due to empty debug address flag") } else { + a.log.Warn("SECURITY WARNING! Debug server is enabled. It should only be used for non-production deployments.") ln, err := net.Listen("tcp", debugAddr) if err != nil { a.log.Error(