Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bug v1.16.0-rc1 (stable2409) RPC call is unsafe to be called externally #5677

Closed
2 tasks done
BulatSaif opened this issue Sep 11, 2024 · 2 comments · Fixed by #5678
Closed
2 tasks done

Bug v1.16.0-rc1 (stable2409) RPC call is unsafe to be called externally #5677

BulatSaif opened this issue Sep 11, 2024 · 2 comments · Fixed by #5678
Labels
I2-bug The node fails to follow expected behavior. I10-unconfirmed Issue might be valid, but it's not yet known.

Comments

@BulatSaif
Copy link
Contributor

Is there an existing issue?

  • I have searched the existing issues

Experiencing problems? Have you tried our Stack Exchange first?

  • This is not a support question.

Description of bug

Before polkadot:v1.16.0, unsafe RPC methods were exposed by default if the RPC was open to localhost. This behavior has changed (accidentally?), but the help documentation has not been updated.

docker run -it --rm -p 9944:9944  parity/polkadot:v1.16.0-rc1 --help | grep -A 10 rpc-methods
      --rpc-methods <METHOD SET>
          RPC methods to expose.
          
          [default: auto]

          Possible values:
          - auto:   Expose every RPC method only when RPC is listening on `localhost`, otherwise
            serve only safe RPC methods
          - safe:   Allow only a safe subset of RPC methods
          - unsafe: Expose every RPC method (even potentially unsafe ones)

Example:

docker run -it --rm -p 9944:9944  parity/polkadot:v1.16.0-rc1  --chain rococo-local 
Starting binary polkadot
2024-09-11 12:08:23 Parity Polkadot    
2024-09-11 12:08:23 ✌️  version 1.16.0-a427d8fb677    
2024-09-11 12:08:23 ❤️  by Parity Technologies <admin@parity.io>, 2017-2024    
2024-09-11 12:08:23 📋 Chain specification: Rococo Local Testnet    
...
2024-09-11 12:08:30 Running JSON-RPC server: addr=127.0.0.1:9944, 
curl -H "Content-Type: application/json" --data '{ "jsonrpc":"2.0", "method":"author_hasKey", "params":["0x11","aura"],"id":1 }' localhost:9944
{"jsonrpc":"2.0","id":1,"error":{"code":-32601,"message":"RPC call is unsafe to be called externally"}}

Workaround:
set rpc-methods manually .

--rpc-methods=unsafe

Steps to reproduce

On host:

docker run -it --rm -p 9944:9944  parity/polkadot:v1.16.0-rc1 --chain rococo-local
docker exec -it -u 0 CONTAINER_ID bash

Inside the container, run any unsafe rpc (you can install curl or use the bash script below):

pcurl() { exec 4<>/dev/tcp/127.0.0.1/9944 && echo -e 'POST / HTTP/1.1\nHost: 127.0.0.1:9944\nContent-Type: application/json\nContent-Length: '$(echo -n $1| wc -c)'\n\n'$1'0x0'  >&4 && cat <&4 ; }
pcurl '{ "jsonrpc":"2.0", "method":"author_hasKey", "params":["0x1","aura"],"id":1 }'
#Output:
  {"jsonrpc":"2.0","id":1,"error":{"code":-32601,"message":"RPC call is unsafe to be called externally"}}HTTP/1.1

It is important to run curl inside of the container, to have same network.

Expected behavior:

docker run -it --rm -p 9944:9944  parity/polkadot:v1.15.2 --chain rococo-local
pcurl '{ "jsonrpc":"2.0", "method":"author_hasKey", "params":["0x1","aura"],"id":1 }'
#Output:
     {"jsonrpc":"2.0","result":false,"id":1}HTTP/1.1 
@BulatSaif BulatSaif added I2-bug The node fails to follow expected behavior. I10-unconfirmed Issue might be valid, but it's not yet known. labels Sep 11, 2024
@ggwpez
Copy link
Member

ggwpez commented Sep 11, 2024

Maybe this one #4792 ? @niklasad1 do you know if this here is desired behaviour or not?

@niklasad1
Copy link
Member

niklasad1 commented Sep 11, 2024

It wasn't intended to break this, lemme check

Thanks Bulat, I have opened a PR to fix this

niklasad1 added a commit that referenced this issue Sep 11, 2024
github-merge-queue bot pushed a commit that referenced this issue Sep 11, 2024
Close #5677

I made a nit when I moved this code:
https://github.com/paritytech/polkadot-sdk/blob/v1.14.0-rc1/substrate/client/service/src/lib.rs#L379-#L385
in #4792

Thus:
 - (ip.is_loopback(), RpcMethods::Auto) -> allow unsafe
 - (!ip.is_loopback(), RpcMethods::Auto) -> deny unsafe

---------

Co-authored-by: ggwpez <ggwpez@users.noreply.github.com>
niklasad1 added a commit that referenced this issue Sep 12, 2024
Close #5677

I made a nit when I moved this code:
https://github.com/paritytech/polkadot-sdk/blob/v1.14.0-rc1/substrate/client/service/src/lib.rs#L379-#L385
in #4792

Thus:
 - (ip.is_loopback(), RpcMethods::Auto) -> allow unsafe
 - (!ip.is_loopback(), RpcMethods::Auto) -> deny unsafe

---------

Co-authored-by: ggwpez <ggwpez@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
I2-bug The node fails to follow expected behavior. I10-unconfirmed Issue might be valid, but it's not yet known.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants