Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rpc: Sanitize label name in various RPCs with tests #26186

Merged
merged 3 commits into from Jan 10, 2023
Merged

rpc: Sanitize label name in various RPCs with tests #26186

merged 3 commits into from Jan 10, 2023

Conversation

aureleoules
Copy link
Member

@aureleoules aureleoules commented Sep 27, 2022
edited

The following RPCs did not sanitize the optional label name:

  • importprivkey
  • importaddress
  • importpubkey
  • importmulti
  • importdescriptors
  • listsinceblock

Thus is was possible to import an address with a label * which should not be possible.
The wildcard label is used for backwards compatibility in the listtransactions rpc.
I added test coverage for these RPCs.

@DrahtBot
Copy link
Contributor

DrahtBot commented Sep 27, 2022
edited

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.

Type Reviewers
ACK furszy, stickies-v, ajtowns, theStack, achow101
Concept ACK MarcoFalke, 1440000bytes

If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #26840 (refactor: importpubkey, importprivkey, importaddress, importmulti, and importdescriptors rpc by KolbyML)
  • #26174 (rpc, wallet: add ability to retrieve all address book entries by w0xlt)
  • #24897 ([Draft / POC] Silent Payments by w0xlt)
  • #22838 (descriptors: Be able to specify change and receiving in a single descriptor string by achow101)
  • #20892 (tests: Run both descriptor and legacy tests within a single test invocation by achow101)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

stickies-v
stickies-v reviewed Sep 27, 2022
View reviewed changes
Copy link
Contributor

@stickies-v stickies-v left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approach ACK 3012200

test/functional/wallet_labels.py Outdated Show resolved Hide resolved
test/functional/wallet_labels.py Outdated Show resolved Hide resolved
src/wallet/rpc/backup.cpp Outdated Show resolved Hide resolved
src/wallet/rpc/backup.cpp Outdated Show resolved Hide resolved
@aureleoules
Copy link
Member Author

Thanks for the review @stickies-v, I've addressed all your comments.

stickies-v
stickies-v reviewed Sep 27, 2022
View reviewed changes
test/functional/wallet_labels.py Outdated Show resolved Hide resolved
test/functional/wallet_labels.py Outdated Show resolved Hide resolved
@aureleoules
Copy link
Member Author

Pushed, thanks @stickies-v.

stickies-v
stickies-v approved these changes Sep 28, 2022
View reviewed changes
Copy link
Contributor

@stickies-v stickies-v left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK d293585 - nice improvement, straightforward code changes and test.

Left a few nits, nothing blocking.

test/functional/wallet_labels.py Outdated Show resolved Hide resolved
test/functional/wallet_labels.py Outdated Show resolved Hide resolved
test/functional/wallet_labels.py Outdated Show resolved Hide resolved
maflcko
maflcko reviewed Sep 28, 2022
View reviewed changes
Copy link
Member

@maflcko maflcko left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concept ACK. Left a follow-up idea

src/wallet/rpc/backup.cpp Outdated Show resolved Hide resolved
@aureleoules aureleoules force-pushed the 2022-09-test-label-invalid branch 3 times, most recently from 62535d8 to 8867b03 Compare September 28, 2022 14:33
@DrahtBot DrahtBot mentioned this pull request Sep 28, 2022
Closed
@aureleoules aureleoules mentioned this pull request Sep 28, 2022
Merged
@maflcko maflcko added this to the 24.0 milestone Sep 28, 2022
stickies-v
stickies-v reviewed Oct 3, 2022
View reviewed changes
src/wallet/rpc/backup.cpp Outdated Show resolved Hide resolved
src/wallet/rpc/coins.cpp Outdated Show resolved Hide resolved
src/wallet/rpc/addresses.cpp Outdated Show resolved Hide resolved
stickies-v
stickies-v approved these changes Oct 3, 2022
View reviewed changes
Copy link
Contributor

@stickies-v stickies-v left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 8b71661

@maflcko maflcko requested a review from achow101 October 4, 2022 10:48
This was referenced Oct 5, 2022
Closed
Open
Closed
@maflcko maflcko removed this from the 24.0 milestone Oct 17, 2022
@aureleoules
Copy link
Member Author

Please restore it.

Done @luke-jr.

@DrahtBot DrahtBot mentioned this pull request Dec 15, 2022
Merged
furszy
furszy reviewed Dec 15, 2022
View reviewed changes
src/wallet/rpc/util.h Outdated Show resolved Hide resolved
@aureleoules aureleoules force-pushed the 2022-09-test-label-invalid branch 2 times, most recently from cce2e87 to b119bb8 Compare December 16, 2022 13:52
luke-jr
luke-jr reviewed Dec 18, 2022
View reviewed changes
src/wallet/rpc/util.cpp Outdated Show resolved Hide resolved
@ghost
Copy link

ghost commented Dec 18, 2022

Concept ACK

stickies-v
stickies-v approved these changes Dec 19, 2022
View reviewed changes
Copy link
Contributor

@stickies-v stickies-v left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re-ACK 408e375

Reduced string copying compared to my previous ACK. One non-blocking nit.

src/wallet/rpc/transactions.cpp Outdated Show resolved Hide resolved
src/wallet/rpc/util.h Outdated Show resolved Hide resolved
furszy
furszy approved these changes Dec 19, 2022
View reviewed changes
Copy link
Member

@furszy furszy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK 893c288

ajtowns
ajtowns reviewed Jan 3, 2023
View reviewed changes
Copy link
Contributor

@ajtowns ajtowns left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Concept ACK.

src/wallet/rpc/util.h Outdated Show resolved Hide resolved
@aureleoules
rpc: Sanitize label name in various RPCs
67e7ba8 
- importprivkey
- importaddress
- importpubkey
- listtransactions
- listsinceblock
- importmulti
- importdescriptors
furszy
furszy reviewed Jan 4, 2023
View reviewed changes
src/wallet/rpc/util.h Outdated Show resolved Hide resolved
furszy
furszy approved these changes Jan 4, 2023
View reviewed changes
Copy link
Member

@furszy furszy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

diff ACK 65e78bd

stickies-v
stickies-v approved these changes Jan 4, 2023
View reviewed changes
Copy link
Contributor

@stickies-v stickies-v left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re-ACK 65e78bd

src/wallet/rpc/util.cpp
Comment on lines +135 to +136
static const std::string empty_string;
if (value.isNull()) return empty_string;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: not needed anymore now that we're returning a string copy

Suggested change
static const std::string empty_string;
if (value.isNull()) return empty_string;
if (value.isNull()) return "";

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Or return {};

@ajtowns
Copy link
Contributor

ajtowns commented Jan 6, 2023

ACK 65e78bd

@DrahtBot DrahtBot mentioned this pull request Jan 7, 2023
Closed
theStack
theStack approved these changes Jan 8, 2023
View reviewed changes
Copy link
Contributor

@theStack theStack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

re-ACK 65e78bd

achow101
achow101 reviewed Jan 9, 2023
View reviewed changes
test/functional/wallet_labels.py
[node.getnewaddress],
[node.setlabel, address],
[node.getaddressesbylabel],
[node.importpubkey, pubkey],
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In 65e78bd "test: Invalid label name coverage"

importpubkey is a legacy wallet only RPC. The reason this test still passes with --descriptors is because the test framework has this (and some of the other import RPCs) aliased to importdescriptors.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good to know. But considering this PR has 4 ACKs, is it worth the change? The test is executed with both --legacy-wallet and --descriptors anyway.

@achow101
Copy link
Member

ACK 65e78bd

@achow101 achow101 merged commit 68f88bc into bitcoin:master Jan 10, 2023
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Jan 11, 2023
@achow101
Merge bitcoin#26186: rpc: Sanitize label name in various RPCs with tests
6c7bd8b 
65e78bd test: Invalid label name coverage (Aurèle Oulès)
552b51e refactor: Add sanity checks in LabelFromValue (Aurèle Oulès)
67e7ba8 rpc: Sanitize label name in various RPCs (Aurèle Oulès)

Pull request description:

  The following RPCs did not sanitize the optional label name:
  - importprivkey
  - importaddress
  - importpubkey
  - importmulti
  - importdescriptors
  - listsinceblock

  Thus is was possible to import an address with a label `*` which should not be possible.
  The wildcard label is used for backwards compatibility in the `listtransactions` rpc.
  I added test coverage for these RPCs.

ACKs for top commit:
  ajtowns:
    ACK 65e78bd
  achow101:
    ACK 65e78bd
  furszy:
    diff ACK 65e78bd
  stickies-v:
    re-ACK 65e78bd
  theStack:
    re-ACK 65e78bd

Tree-SHA512: ad99f2824d4cfae352166b76da4ca0069b7c2eccf81aaa0654be25bbb3c6e5d6b005d93960f3f4154155f80e12be2d0cebd5529922ae3d2a36ee4eed82440b31
@aureleoules aureleoules deleted the 2022-09-test-label-invalid branch January 12, 2023 11:51
@bitcoin bitcoin locked and limited conversation to collaborators Jan 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@ajtowns ajtowns ajtowns left review comments

@luke-jr luke-jr luke-jr left review comments

@jonatack jonatack jonatack left review comments

@achow101 achow101 achow101 left review comments

@maflcko maflcko maflcko left review comments

@theStack theStack theStack approved these changes

@furszy furszy furszy approved these changes

@stickies-v stickies-v stickies-v approved these changes

Assignees

@achow101 achow101

Labels
RPC/REST/ZMQ Wallet
Projects
PR Statuses
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet