You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
Under some conditions, nitro can leak internally configured endpoints in JSON-RPC responses.
When this happens it returns the full URL in the configuration to the person who made the RPC call, this can lead to leaking API keys, IPs, etc.
To Reproduce
Steps to reproduce the behavior:
Run nitro with --execution.rpc.classic-redirect configured, but point it at a fake URL then make an API call that would require the use of the redirected URL such as an eth_call to a legacy block:
{"jsonrpc":"2.0","id":1,"error":{"code":-32000,"message":"Post \"https://my_node/my_api_key/\": dial tcp: lookup my_node on 127.0.0.53:53: no such host"}}
I am pretty sure it's also possible that it's leaking URLs for either parent-chain.connection.url or parent-chain.blob-client.beacon-url or both, under some conditions, but I haven't been able to reproduce it.
Expected behavior
It should error out, but it shouldn't leak the URL you configured under --execution.rpc.classic-redirect, etc.
The text was updated successfully, but these errors were encountered:
Describe the bug
Under some conditions, nitro can leak internally configured endpoints in JSON-RPC responses.
When this happens it returns the full URL in the configuration to the person who made the RPC call, this can lead to leaking API keys, IPs, etc.
To Reproduce
Steps to reproduce the behavior:
Run nitro with
--execution.rpc.classic-redirectconfigured, but point it at a fake URL then make an API call that would require the use of the redirected URL such as aneth_callto a legacy block:{ "jsonrpc": "2.0", "id": 1, "method": "eth_call", "params": [ { "to": "0x0fd43c8fabe26d70dfa4c8b6fa680db39f147460", "data": "0x919840ad" }, "0x152d578", { "0x0fd43c8fabe26d70dfa4c8b6fa680db39f147460": { "code": "0x6080604052348015600f57600080fd5b506004361060285760003560e01c8063919840ad14602d575b600080fd5b60336045565b60408051918252519081900360200190f35b60005a90509056fea265627a7a72315820df124583906aafd283490b866399b6762e2075e1d84214363893c5993a13276f64736f6c63430005110032" } } ] }You'll get a response like this:
{"jsonrpc":"2.0","id":1,"error":{"code":-32000,"message":"Post \"https://my_node/my_api_key/\": dial tcp: lookup my_node on 127.0.0.53:53: no such host"}}I am pretty sure it's also possible that it's leaking URLs for either
parent-chain.connection.urlorparent-chain.blob-client.beacon-urlor both, under some conditions, but I haven't been able to reproduce it.Expected behavior
It should error out, but it shouldn't leak the URL you configured under
--execution.rpc.classic-redirect, etc.The text was updated successfully, but these errors were encountered: