fix(rpc): restrict node RPC to eth,net,web3 instead of all namespaces (Veridise 1202)#34
Open
HenryMBaldwin wants to merge 1 commit into
Open
fix(rpc): restrict node RPC to eth,net,web3 instead of all namespaces (Veridise 1202)#34HenryMBaldwin wants to merge 1 commit into
HenryMBaldwin wants to merge 1 commit into
Conversation
Replaces --http.api all / --ws.api all with an explicit allowlist so admin, debug, trace, txpool, and ots are no longer exposed on the public RPC surface (Veridise 1202). The seismic namespace (getTeePublicKey) and Seismic eth_ overrides are force-merged in seismic-reth regardless of --http.api, so client encryption is unaffected; summit talks to the engine API over --auth-ipc, so consensus is unaffected.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Veridise 1202 — excessively permissive RPC configuration
deploy_gcp/templates/supervisor.conflaunched seismic-reth with--http.api alland--ws.api all, exposing every namespace —admin,debug,trace,txpool,ots,flashbots,mev— on the public RPC surface (theadminnamespace's mutating methods likeaddPeerwere confirmed reachable).Change
Replace
allwith an explicit allowlisteth,net,web3on both HTTP and WS.Why this is safe
seismicnamespace (seismic_getTeePublicKey) and the Seismiceth_overrides (call/estimateGas/simulateV1/sendRawTransaction) are registered viamerge_configured/replace_configuredin seismic-reth, which merge into HTTP/WS regardless of--http.api. So they remain available with the restricted allowlist.--auth-ipc, not the public HTTP/WS surface.admin/debug/trace/ots/txpool, which also removes the reachable surface behind related trace-leak findings (1085, 1207).Scope — other 1202 flags NOT changed here
These are pinned in
supervisor.confand remain unchanged by this PR. They were intentionally left out to keep this change to the single highest-value, lowest-risk fix — not because they've been reviewed and deemed acceptable. Each still warrants a separate decision:--rpc.enable-storage-apis— re-enableseth_getStorageAt/eth_getFlaggedStorageAt. Note private storage values are already redacted to zero in seismic-reth regardless of this flag, so this is a storage-layout/metadata concern (which slots are private) rather than a value leak.--http.corsdomain */--ws.origins *— wildcard browser origins. Lower risk now that the namespace set is restricted to read methods, but dropping it can break legitimate browser dapps; needs frontend/ops input.--http.addr/--ws.addr 0.0.0.0— wide bind is intentional for a public RPC node.