search

ethereum-optimism / stack-docs

OP Stack documentation
13 stars 32 forks source link

Fix rpc.enable-admin security vuln when running outside docker #27

Open Chomtana opened 1 year ago

Chomtana commented 1 year ago

Description

op-node and op-batcher have --rpc.enable-admin which enables admin API on these RPC. Combined with --rpc.addr=0.0.0.0, this will expose admin API to the public when running outside docker which is a security vulnerability.

As @upnodedev has asked in the ticket that

Why do you expose the batcher admin rpc? It seem to use for start / stop batcher. Wouldn't this be a security issue?

And @sbvegan has spoken to a client engineer

image

The document is written from docker but users would run it on their own VM. So, I think we shouldn't expose admin API and it would be a security issue if being exposed.

netlify[bot] commented 1 year ago

Deploy request for opstack-docs pending review.

Visit the deploys page to approve it

Name Link
Latest commit 1e3994bf565d89ce35a2506814a049cc73776cb2