You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The use of grpc.WithInsecure() with a Unix-domain socket (from conf/server.yml) makes sense, since presumably there are no other users on the system who might create the socket (in /tmp/eth-runtime-test though, so any other user-level application could have created it).
It would be better defense-in-depth if
We verified that the address is unix:/... and generated warnings otherwise. If we ever configured to go off of the local machine, unless there are some careful datacenter networking level assurances, we should not be using grpc.WithInsecure(). This is a potential foot gun, since due to load we might very well want to do that in the future, especially if, for example, a single "local" grpc server could back several gateway nodes.
We used a different path than /tmp -- the /tmp directory is typically empty at boot and sticky, so if ever some other code w/ a different uid (e.g., trojan'd package via a supply-chain attack) runs before the gateway does, then that code could create the path and the unix-domain socket that this code expects, in which case we'd be talking to a bogus source. A directory path that is solely under the control of the net-runner would be better.
The text was updated successfully, but these errors were encountered:
https://github.com/starfishlabs/oasis-evm-web3-gateway/blob/101feef8918c5044b7bb9aa98d38cb0e4f37fee6/main.go#L70
The use of
grpc.WithInsecure()with a Unix-domain socket (fromconf/server.yml) makes sense, since presumably there are no other users on the system who might create the socket (in/tmp/eth-runtime-testthough, so any other user-level application could have created it).It would be better defense-in-depth if
unix:/...and generated warnings otherwise. If we ever configured to go off of the local machine, unless there are some careful datacenter networking level assurances, we should not be usinggrpc.WithInsecure(). This is a potential foot gun, since due to load we might very well want to do that in the future, especially if, for example, a single "local" grpc server could back several gateway nodes./tmp-- the/tmpdirectory is typically empty at boot and sticky, so if ever some other code w/ a different uid (e.g., trojan'd package via a supply-chain attack) runs before the gateway does, then that code could create the path and the unix-domain socket that this code expects, in which case we'd be talking to a bogus source. A directory path that is solely under the control of the net-runner would be better.The text was updated successfully, but these errors were encountered: