Skip to content

rpc: restrict bitcoinproxy to a read-only method allowlist#496

Open
Atishyy27 wants to merge 1 commit into
braidpool:devfrom
Atishyy27:fix/417-bitcoinproxy-method-allowlist
Open

rpc: restrict bitcoinproxy to a read-only method allowlist#496
Atishyy27 wants to merge 1 commit into
braidpool:devfrom
Atishyy27:fix/417-bitcoinproxy-method-allowlist

Conversation

@Atishyy27

Copy link
Copy Markdown

Problem

bitcoin_proxy in node/src/rpc_server.rs forwards any method straight to Bitcoin Core using the node's stored RPC credentials, with only a logging middleware in front — no method filtering. Any process that can reach the RPC server can therefore run:

{"jsonrpc":"2.0","method":"bitcoinproxy","params":["dumpprivkey",["<address>"]],"id":1}

to pull private keys out of Bitcoin Core, or sendtoaddress to move funds. It is bound to 127.0.0.1 today, but there is already a path toward making the bind address configurable, at which point this becomes a critical remote vulnerability.

Part of #417.

Change

  • Add BITCOIN_PROXY_ALLOWED_METHODS — an explicit allowlist of read-only, informational methods (chain/mempool/mining/network info, getblocktemplate, estimatesmartfee, uptime, …).
  • Reject any method not on the list in bitcoin_proxy before it reaches Bitcoin Core, returning a clear JSON-RPC error and a warn! log.
  • Matching is exact and case-sensitive (Bitcoin Core dispatch is case-sensitive, so casing can't be used to smuggle a method past the filter).
  • Unit tests cover allowed methods, wallet/control methods (dumpprivkey, sendtoaddress, importprivkey, walletpassphrase, stop), and unknown/empty/mis-cased input, plus an allowlist-dedup check.

Scope / follow-up

This closes the concrete key-exfiltration / fund-draining vector by adding the method filtering the issue asks for. Adding authentication to the RPC server (the other half of #417) is intentionally left as a separate follow-up so this stays atomic.

Notes

cargo fmt clean. A full local cargo check isn't possible on Windows (async_zmq/mio::unix is Unix-only), so I verified types by hand and via the new unit tests; CI will compile-check.

bitcoin_proxy forwarded any method straight to Bitcoin Core using the
node's stored credentials, with only a logging middleware in front. A
local caller could therefore invoke wallet/control methods such as
dumpprivkey (exfiltrate private keys) or sendtoaddress (drain funds).
This becomes critical once the RPC bind address is made configurable and
someone exposes it beyond localhost.

Gate bitcoin_proxy behind BITCOIN_PROXY_ALLOWED_METHODS, an explicit
allowlist of read-only informational methods, and reject anything else
before it reaches Bitcoin Core. Matching is exact/case-sensitive so
casing cannot bypass the filter. Adds unit tests covering allowed,
wallet/control, unknown, empty and mis-cased methods.

Authentication on the RPC server (the other half of the issue) is left
as a follow-up.

Part of braidpool#417
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant