Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Errors on full node endpoints expose RPC password #522

Open
christroutner opened this issue Nov 11, 2019 · 0 comments
Open

Errors on full node endpoints expose RPC password #522

christroutner opened this issue Nov 11, 2019 · 0 comments
Labels
bug Something isn't working

Comments

@christroutner
Copy link

christroutner commented Nov 11, 2019
edited
Loading

A lot of the endpoints will return the full error object as a last-ditch effort to return some intelligent error information on an unexpected error. Code like this:

rest.bitcoin.com/src/routes/v2/rawtransactions.ts

Lines 435 to 436 in c80b8df

res.status(500)
return res.json({ error: util.inspect(err) })

On full node endpoints like the one above, when the full node is down, the error message will expose the full node password and other RPC info.

This isn't a big threat for rest.bitcoin.com, because we run full nodes that have no wallets and hold no funds. But it's bad practice and should be fixed.
@christroutner christroutner added the bug Something isn't working label Nov 11, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@christroutner