Skip to content
This repository has been archived by the owner on Sep 26, 2019. It is now read-only.

[NC-1742] Added host whitelist for Json-RPC. #295

Merged
merged 8 commits into from
Dec 7, 2018
Merged

[NC-1742] Added host whitelist for Json-RPC. #295

merged 8 commits into from
Dec 7, 2018

Conversation

mark-terry
Copy link
Contributor

PR description

Implemented a hostname whitelist for the JSON RPC service, as suggested by trail-of-bits to avoid DNS rebind attacks.

New behaviour:
A new CLI option has been added - --host-whitelist. This argument can take a few values:

  • A list of comma separated hostnames, permitting connections from the specified hosts
  • * enables connections from all hosts

If this argument is not specified, it will default to localhost and only permit connections that contain localhost in the Host header of the request.

Fixed Issue(s)

fixes #244

@mark-terry mark-terry added enhancement New feature or request security Related to security labels Nov 22, 2018
@mark-terry mark-terry mentioned this pull request Nov 22, 2018
Closed
lucassaldanha
lucassaldanha reviewed Nov 22, 2018
View reviewed changes
ethereum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcConfiguration.java Outdated Show resolved Hide resolved
ethereum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpService.java Outdated Show resolved Hide resolved
ethereum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpService.java Outdated Show resolved Hide resolved
...rc/test/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpServiceHostWhitelistTest.java Outdated Show resolved Hide resolved
...rc/test/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpServiceHostWhitelistTest.java Outdated Show resolved Hide resolved
pantheon/src/main/java/tech/pegasys/pantheon/cli/PantheonCommand.java Outdated Show resolved Hide resolved
@mark-terry mark-terry force-pushed the NC-1742-better branch 2 times, most recently from 477089d to d9f9487 Compare December 3, 2018 23:43
ajsutton
ajsutton approved these changes Dec 6, 2018
View reviewed changes
Copy link
Contributor

@ajsutton ajsutton left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Couple of minor suggestions.

ethereum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcConfiguration.java Outdated Show resolved Hide resolved
ethereum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcConfiguration.java Outdated Show resolved Hide resolved
ethereum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpService.java Outdated Show resolved Hide resolved
ethereum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpService.java Outdated Show resolved Hide resolved
ethereum/jsonrpc/src/main/java/tech/pegasys/pantheon/ethereum/jsonrpc/JsonRpcHttpService.java Outdated Show resolved Hide resolved
@mark-terry mark-terry merged commit 3bcdc04 into PegaSysEng:master Dec 7, 2018
@mark-terry mark-terry deleted the NC-1742-better branch January 29, 2019 13:49
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ajsutton ajsutton ajsutton approved these changes

@lucassaldanha lucassaldanha lucassaldanha left review comments

@CjHare CjHare CjHare left review comments

@NicolasMassart NicolasMassart Awaiting requested review from NicolasMassart

Assignees
No one assigned
Labels
enhancement New feature or request security Related to security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@mark-terry @ajsutton @lucassaldanha @CjHare