search

neo-project / neo-modules

MIT License
60 stars 100 forks source link

Remove GZip compression from RPC server for HTTPS #809

Closed cschuchardt88 closed 1 year ago

cschuchardt88 commented 1 year ago

Summary or problem description Having compression is a nice feature to have but there is one drawback. Security vulnerability of a BREACH attack.

With a server with the wallet api enable this could be deadly. An Attacker could inject malicious text into a request to send NEO, GAS -- worst case scenario

Read More about it here https://www.breachattack.com/

Do you have any solution you want to propose? Remove GZip command from server or have the an option to configure it on or off. Let the user choose to enable or disable it.

https://github.com/neo-project/neo-modules/blob/99ffc846e4df93491d1d812cb4c6ef6ee875e056/src/RpcServer/RpcServer.cs#L132

https://github.com/neo-project/neo-modules/blob/99ffc846e4df93491d1d812cb4c6ef6ee875e056/src/RpcServer/RpcServer.cs#L140

Where in the software does this update applies to?

shargon commented 1 year ago 
        // Summary:
        //     Indicates if responses over HTTPS connections should be compressed. The default
        //     is 'false'. Enabling compression on HTTPS requests for remotely manipulable content
        //     may expose security problems.
        //
        // Remarks:
        //     This can be overridden per request using Microsoft.AspNetCore.Http.Features.IHttpsCompressionFeature.

Seems disabled by default

https://github.com/neo-project/neo-modules/blob/99ffc846e4df93491d1d812cb4c6ef6ee875e056/src/RpcServer/RpcServer.cs#L139

cschuchardt88 commented 1 year ago

@shargon thx for clearing that up. Can we have the option to enable or disable it? Or change compression level?

cschuchardt88 commented 1 year ago

Closing ... problem resolved.