From 9cddfe92a38138a8eb88011954ca9b6a1ae4405e Mon Sep 17 00:00:00 2001 From: Felix Lange Date: Thu, 6 Oct 2022 14:01:04 +0200 Subject: [PATCH] node: prevent exposing engine API on unauthenticated endpoint (#25939) * node: prevent exposing engine API on unauthenticated endpoint * node: improve RPC setup --- node/api.go | 2 +- node/node.go | 30 +++++++++++++++--------------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/node/api.go b/node/api.go index 67953a812..15892a270 100644 --- a/node/api.go +++ b/node/api.go @@ -269,7 +269,7 @@ func (api *adminAPI) StartWS(host *string, port *int, allowedOrigins *string, ap if err := server.setListenAddr(*host, *port); err != nil { return false, err } - openApis, _ := api.node.GetAPIs() + openApis, _ := api.node.getAPIs() if err := server.enableWS(openApis, config); err != nil { return false, err } diff --git a/node/node.go b/node/node.go index 3cbefef02..c8fda1fe3 100644 --- a/node/node.go +++ b/node/node.go @@ -392,15 +392,15 @@ func (n *Node) startRPC() error { } } var ( - servers []*httpServer - open, all = n.GetAPIs() + servers []*httpServer + openAPIs, allAPIs = n.getAPIs() ) - initHttp := func(server *httpServer, apis []rpc.API, port int) error { + initHttp := func(server *httpServer, port int) error { if err := server.setListenAddr(n.config.HTTPHost, port); err != nil { return err } - if err := server.enableRPC(apis, httpConfig{ + if err := server.enableRPC(openAPIs, httpConfig{ CorsAllowedOrigins: n.config.HTTPCors, Vhosts: n.config.HTTPVirtualHosts, Modules: n.config.HTTPModules, @@ -412,12 +412,12 @@ func (n *Node) startRPC() error { return nil } - initWS := func(apis []rpc.API, port int) error { + initWS := func(port int) error { server := n.wsServerForPort(port, false) if err := server.setListenAddr(n.config.WSHost, port); err != nil { return err } - if err := server.enableWS(n.rpcAPIs, wsConfig{ + if err := server.enableWS(openAPIs, wsConfig{ Modules: n.config.WSModules, Origins: n.config.WSOrigins, prefix: n.config.WSPathPrefix, @@ -428,13 +428,13 @@ func (n *Node) startRPC() error { return nil } - initAuth := func(apis []rpc.API, port int, secret []byte) error { + initAuth := func(port int, secret []byte) error { // Enable auth via HTTP server := n.httpAuth if err := server.setListenAddr(n.config.AuthAddr, port); err != nil { return err } - if err := server.enableRPC(apis, httpConfig{ + if err := server.enableRPC(allAPIs, httpConfig{ CorsAllowedOrigins: DefaultAuthCors, Vhosts: n.config.AuthVirtualHosts, Modules: DefaultAuthModules, @@ -449,7 +449,7 @@ func (n *Node) startRPC() error { if err := server.setListenAddr(n.config.AuthAddr, port); err != nil { return err } - if err := server.enableWS(apis, wsConfig{ + if err := server.enableWS(allAPIs, wsConfig{ Modules: DefaultAuthModules, Origins: DefaultAuthOrigins, prefix: DefaultAuthPrefix, @@ -464,24 +464,24 @@ func (n *Node) startRPC() error { // Set up HTTP. if n.config.HTTPHost != "" { // Configure legacy unauthenticated HTTP. - if err := initHttp(n.http, open, n.config.HTTPPort); err != nil { + if err := initHttp(n.http, n.config.HTTPPort); err != nil { return err } } // Configure WebSocket. if n.config.WSHost != "" { // legacy unauthenticated - if err := initWS(open, n.config.WSPort); err != nil { + if err := initWS(n.config.WSPort); err != nil { return err } } // Configure authenticated API - if len(open) != len(all) { + if len(openAPIs) != len(allAPIs) { jwtSecret, err := n.obtainJWTSecret(n.config.JWTSecret) if err != nil { return err } - if err := initAuth(all, n.config.AuthPort, jwtSecret); err != nil { + if err := initAuth(n.config.AuthPort, jwtSecret); err != nil { return err } } @@ -570,9 +570,9 @@ func (n *Node) RegisterAPIs(apis []rpc.API) { n.rpcAPIs = append(n.rpcAPIs, apis...) } -// GetAPIs return two sets of APIs, both the ones that do not require +// getAPIs return two sets of APIs, both the ones that do not require // authentication, and the complete set -func (n *Node) GetAPIs() (unauthenticated, all []rpc.API) { +func (n *Node) getAPIs() (unauthenticated, all []rpc.API) { for _, api := range n.rpcAPIs { if !api.Authenticated { unauthenticated = append(unauthenticated, api)