besu icon indicating copy to clipboard operation
besu copied to clipboard

Published 20 hours ago verified publisher icon hyperledger

engine-jwt-disabled=true may bypass engine-host-allowlist

Open tdiesler opened this issue 1 year ago • 3 comments

A remote (curl) client may be able to access the authenticated JSON-RPC endpoint event though the client's host should not be allowed to do so.

docker run --detach \
  --name=besu \
  --user=0:0 \
  --restart=unless-stopped \
  --network=ethnet \
  -p 8545:8545 \
  -p 8551:8551 \
  -p 30303:30303/tcp \
  -p 30303:30303/udp \
  -v besu-data:/var/besu/data \
  -v besu-config:/var/besu/config \
  hyperledger/besu:${BESU_VERSION:-latest} \
    --data-path=/var/besu/data \
    --engine-jwt-secret=/var/besu/config/keys/jwt-token.txt \
    --engine-host-allowlist="127.0.0.1, ${BESU_HOST_IP}, 172.*" \
    --host-allowlist="127.0.0.1, ${BESU_HOST_IP}" \
    --engine-jwt-disabled=true \
    --rpc-http-enabled

curl --location --request POST 'http://x.x.x.x:8551' \
--header 'Authorization: Bearer 224xxx' \
--header 'Content-Type: application/json' \
--data-raw '{
    "jsonrpc": "2.0",
    "method": "eth_syncing",
    "params": [],
    "id": 1
}'

gives me ...

{
    "jsonrpc": "2.0",
    "id": 1,
    "result": {
        "startingBlock": "0xd47c7a",
        "currentBlock": "0xd49552",
        "highestBlock": "0xec5e6d",
        "pulledStates": "0x1744f",
        "knownStates": "0x1f61d"
    }
}

I would expect --engine-host-allowlist to take effect independent of --engine-jwt-disabled, hence expect to see Host not authorized

Versions (Add all that apply)

Docker image: hyperledger/besu-2.7.1

tdiesler avatar Sep 07 '22 14:09 tdiesler

BTW, I'm using --engine-jwt-disabled=true because I can't (yet) get authorized access to to the JWT endpoint (8551) to work otherwise - it always gives me Unauthorized

tdiesler avatar Sep 07 '22 14:09 tdiesler

what do you get when you curl an engine api endpoint? e.g.

curl --location --request POST 'http://x.x.x.x:8551' \
--header 'Authorization: Bearer 224xxx' \
--header 'Content-Type: application/json' \
--data-raw '{
    "jsonrpc": "2.0",
    "method": "engine_exchangeTransitionConfigurationV1",
    "params": [],
    "id": 1
}'

garyschulte avatar Sep 07 '22 22:09 garyschulte

With besu-22.7.2, JWT authentication seems to work. I also used an incorrect JWT in the curl request. Would you know how to generate a valid the JWT - perhaps with this https://jwt.io/#debugger-io ?

tdiesler avatar Sep 08 '22 09:09 tdiesler

No longer a valid flag - closing.

non-fungible-nelson avatar Jan 26 '23 12:01 non-fungible-nelson