-
Notifications
You must be signed in to change notification settings - Fork 36.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Log RPC parameters (arguments) if -debug=rpcparams #16365
Conversation
src/rpc/server.cpp
Outdated
"encryptwallet", | ||
"walletpassphrase", | ||
"walletpassphrasechange", | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like this list is incomplete. Would be nice if it can be deduplicated with the existing QStringList historyFilter
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This blacklist should be pulled out of a config rather than buried in the code.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you mean by "config"? Are you referring to ~/.bitcoin/bitcoin.conf
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I mean that it should go into a common module, probably ./src/util/
or similar.
The following sections might be updated with supplementary metadata relevant to reviewers and maintainers. ConflictsReviewers, this pull request conflicts with the following ones:
If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first. |
How about private keys? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rebased, addressed review comments, force-pushed.
src/logging.h
Outdated
@@ -54,6 +54,7 @@ namespace BCLog { | |||
COINDB = (1 << 18), | |||
QT = (1 << 19), | |||
LEVELDB = (1 << 20), | |||
RPCPARAMS = (1 << 21), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm undecided if a new category is needed, or just enable this additional logging with rpc
. We don't have many of the 32 category bits remaining (although we could easily change to use a uint64_t
).
src/rpc/request.cpp
Outdated
LogPrint(BCLog::RPCPARAMS, ","); | ||
LogPrint(BCLog::RPCPARAMS, "%s", SanitizeString(params[i].getValStr())); | ||
} | ||
LogPrint(BCLog::RPCPARAMS, "]\n"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could print each param on a separate line.
IMO the blacklist doesn't look a great option. How about disallow |
concept NACK, someone is going to forget when adding a new RPC and start logging secrets in production. I think @promag suggestion is better. |
6ab0383
to
e484051
Compare
Another approach is to add a sensitive options/flag (false by default) to |
e484051
to
d7f1d81
Compare
@promag, interesting idea, I like that it would allow specific arguments to be designated as sensitive, rather than the entire method. Also, it would be nice not to have to touch so many lines of code (as my latest commit does). But @instagibbs's concern, #16365 (comment), which I was attempted to overcome with my latest commit, becomes live again. |
d7f1d81
to
c0b6bd8
Compare
Rebased, replaced functional (python) test with a proper unit test. |
c0b6bd8
to
c3d0a32
Compare
c3d0a32
to
2981185
Compare
I had an idea for what may be an improvement. It's in a separate commit, "replace sensitive bool with more general flags". Please let me know what you think; this commit is optional. Modifying all of the lines of the |
b397f7e
to
9759e70
Compare
9edf0ca
to
45fb5d0
Compare
Force-pushed (diff) a different approach that does not require changing each of the 149 per-rpc Here are some examples (without showing the RPC output):
Here's what appears in
|
"walletcreatefundedpsbt", | ||
"walletlock", | ||
"walletprocesspsbt", | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This allow list came from listing all the RPCs and then removing the following:
signmessagewithprivkey
signrawtransactionwithkey
signrawtransactionwithwallet
signmessage
createwallet
encryptwallet
importmulti
importprivkey
sethdseed
walletpassphrase
walletpassphrasechange
As far as I can tell, these are the RPCs whose arguments shouldn't be logged.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maintainence of this list seems like a drawback. It would be nice if a test fails somewhere when an RPC is added or removed without the allow list being updated, e.g. with a list of structs of all the RPCs with an associated safe/unsafe bool value, or something like CRPCConvertParam
. Feel to ignore if unrealistic.
871ec54
to
aa72aa0
Compare
aa72aa0
to
7d22a6f
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested almost-ACK 7d22a6f rebased to current master, modulo the comments below
@@ -59,6 +59,7 @@ namespace BCLog { | |||
VALIDATION = (1 << 21), | |||
I2P = (1 << 22), | |||
IPC = (1 << 23), | |||
RPCPARAMS = (1 << 24), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
test/functional/rpc_misc.py::L60
needs to be updated: AssertionError: not(25 == 24)
"psbtbumpfee", | ||
"reconsiderblock", | ||
"removeprunedfunds", | ||
"rescanblockchain", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This list seems to need an update for new RPCS (restorewallet
comes to mind, not sure if there are others)
"walletcreatefundedpsbt", | ||
"walletlock", | ||
"walletprocesspsbt", | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maintainence of this list seems like a drawback. It would be nice if a test fails somewhere when an RPC is added or removed without the allow list being updated, e.g. with a list of structs of all the RPCs with an associated safe/unsafe bool value, or something like CRPCConvertParam
. Feel to ignore if unrealistic.
params += ","; | ||
} | ||
params += request.params[i].write(); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe replace this loop with a call to util/string.h::Join()
BOOST_CHECK(str.find("rpc=signmessagewithprivkey(****)") != std::string::npos); | ||
// Make sure these don't somehow appear | ||
BOOST_CHECK(str.find("some-key") == std::string::npos); | ||
BOOST_CHECK(str.find("some-message") == std::string::npos); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some (tested) ideas, feel free to pick/choose/ignore
- FILE* file = fsbridge::fopen(LogInstance().m_file_path, "rb");
+ FILE* file{fsbridge::fopen(LogInstance().m_file_path, "rb")};
fseek(file, 0, SEEK_END);
std::vector<char> vch(ftell(file), 0);
fseek(file, 0, SEEK_SET);
- size_t nbytes = fread(vch.data(), 1, vch.size(), file);
+ const size_t nbytes{fread(vch.data(), 1, vch.size(), file)};
fclose(file);
// This checks the test (not the code being tested).
BOOST_CHECK_EQUAL(nbytes, vch.size());
// Check that what should appear does, and what shouldn't doesn't.
- std::string str(vch.begin(), vch.end());
+ const std::string str{vch.begin(), vch.end()};
@@ -512,8 +512,8 @@ BOOST_AUTO_TEST_CASE(rpc_logparams)
- BOOST_CHECK(str.find("some-key") == std::string::npos);
- BOOST_CHECK(str.find("some-message") == std::string::npos);
+ BOOST_CHECK_EQUAL(str.find("some-key"), std::string::npos);
+ BOOST_CHECK_EQUAL(str.find("some-message"), std::string::npos);
} else { | ||
for (size_t i = 0; i < request.params.size(); ++i) { | ||
if (i > 0) { | ||
params += ","; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure here, perhaps separate the params with ", "
(comma + space)
now
2021-08-19T11:45:46Z rpc=getmempoolancestors(b6a5ed05bc71c8ccc5316,true)
comma+space
2021-08-19T11:45:46Z rpc=getmempoolancestors(b6a5ed05bc71c8ccc5316, true)
I agree, I'm going to convert this PR to draft because I think there's a better way to do this that doesn't require a separate list. I'll also pick up your other suggestions. Thanks for taking the time to look it over! |
🐙 This pull request conflicts with the target branch and needs rebase. Want to unsubscribe from rebase notifications on this pull request? Just convert this pull request to a "draft". |
There hasn't been much activity lately and the patch still needs rebase. What is the status here?
|
Given it's been 16 months this statement, I'm going to close this for now. Feel free to comment / ping if you're going to work on this again and need the PR reopened. |
When a developer is examining
debug.log
(or client terminal output), it's often useful to know which RPCs have been submitted to the client; this can be enabled with the-debug=rpc
configuration option. But this prints only the method name. This PR adds-debug=rpcparams
to enable the logging of each RPC's parameters (arguments). The parameters of certain RPCs are keys or passwords; these should not be logged.