aptos-core icon indicating copy to clipboard operation
aptos-core copied to clipboard

Published 20 hours ago verified publisher icon aptos-labs

[Bug] Credential config for Aptos Client introduce vulnerability

Open nodereal-keeper opened this issue 3 years ago • 5 comments

🐛 Bug

the APTOS SDK will enable the conf.WITH_CREDENTIALS = true by default when developers create a client. however, this can be a security vulnerability because the cookies will be shared to the node as well

To reproduce

Code snippet to reproduce https://github.com/aptos-labs/aptos-core/blob/65c05dbf1db83ee4986bec2b6676099dd4f8c24c/ecosystem/typescript/sdk/src/aptos_client.ts#L79

nodereal-keeper avatar Oct 24 '22 13:10 nodereal-keeper

That's ... the point. Many application load balancers only support a single session via cookies. If you do not use cookies, you may end up talking to a different REST node. This can be particularly harmful for clients that attempt to send multiple transactions in the same window. Similarly the first node may be at version X but the second node may be at version X - delta, and that could cause issues for clients.

If you want your application to point to a load balancer that does not need cookies, feel free to disable it. But since the nodes run by AptosLabs do, we are unfortunately not in a position to set this to false.

davidiw avatar Oct 24 '22 14:10 davidiw

That's ... the point. Many application load balancers only support a single session via cookies. If you do not use cookies, you may end up talking to a different REST node. This can be particularly harmful for clients that attempt to send multiple transactions in the same window. Similarly the first node may be at version X but the second node may be at version X - delta, and that could cause issues for clients.

If you want your application to point to a load balancer that does not need cookies, feel free to disable it. But since the nodes run by AptosLabs do, we are unfortunately not in a position to set this to false.

What about if they set to True explicitly? It seems the key point is the default config setting.

huihzhao avatar Oct 24 '22 14:10 huihzhao

What about if they set to True explicitly? It seems the key point is the default config setting.

I suspect most users will develop against the nodes provided by AptosLabs. As a result, I think that doing this will only result in a really bad developer experience. I think we could add some documentation around this topic to inform typescript dapp developers that cookies are enabled on by default. We will not be adjusting this setting at this point in time.

davidiw avatar Oct 24 '22 18:10 davidiw

@davidiw I feel confused why it is a bad developer experience. To my understanding, this is a potential vulnerability. may I know why changing the config is a problem? If you could share more details it would be very helpful. :)

huihzhao avatar Oct 24 '22 18:10 huihzhao

Read my first comment: https://github.com/aptos-labs/aptos-core/issues/5242#issuecomment-1289091390

there's really no vulnerability here, it is weird, but ...we should prioritize the common case: aptoslabs nodes run behind an application load balancer. This needs a cookie.

davidiw avatar Oct 24 '22 19:10 davidiw