Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added defaults for remote-limt-api so sensitive calls are blocked by … #944

Merged
merged 4 commits into from Sep 16, 2018

Conversation

Projects
None yet
5 participants
@kwek20
Copy link
Member

kwek20 commented Aug 21, 2018

Description

Provides defaults for keeping an iri node secure when you do not provide flags.

Fixes #306

Type of change

  • Bug fix (a non-breaking change which fixes an issue)

How Has This Been Tested?

Started default IRI node with port parameter -> correct calls are blocked
Started IRI with --remote-api-limit for just blocking getNeighbors, and only that call is blocked

Checklist:

  • My code follows the style guidelines for this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation
  • New and existing unit tests pass locally with my changes

@kwek20 kwek20 requested a review from karimodm Aug 21, 2018

int API_PORT = 14265;
String API_HOST = "localhost";
String[] REMOTE_LIMIT_API = new String[] {"addNeighbors", "getNeighbors", "removeNeighbors"};

This comment has been minimized.

Copy link
@alon-e

alon-e Aug 23, 2018

Member

I think we should also add attachToTangle & interruptAttachingToTangle to the default list.

This comment has been minimized.

Copy link
@GalRogozinski

GalRogozinski Aug 25, 2018

Member

Change to List<String> REMOTE_LIMIT_API

In IotaUtils you can add the following method:

 public static <T> List<T> createImmutableList(T... a) {
        return Collections.unmodifiableList(Arrays.asList(a));
    }

Note that once we upgrade Java we can start using List.of() instead of doing this ugly thing.
See:
https://docs.oracle.com/javase/9/docs/api/java/util/List.html

This comment has been minimized.

Copy link
@kwek20

kwek20 Aug 25, 2018

Author Member

@alon-e isnt attachToTangle used in a lot of tutorials? That will probably confuse people if its disabled by default

This comment has been minimized.

Copy link
@GalRogozinski

GalRogozinski Aug 26, 2018

Member

Since this is also a product decision I am tagging @jakubcech.
I want to remind everyone that since changing the defaults breaks backwards compatibility, perhaps it shouldn't be released together with the changes we made for configurations in #724.

This comment has been minimized.

Copy link
@jakubcech

jakubcech Aug 27, 2018

Contributor

attachToTangle & interruptAttachingToTangle should be in the list. We should update our docs if it's broken by this change somewhere.

@@ -600,9 +601,10 @@ protected void setBelowMaxDepthTransactionLimit(int maxAnalyzedTransactions) {
}

public interface Defaults {
//API
//API

This comment has been minimized.

Copy link
@alon-e

alon-e Aug 23, 2018

Member

fix indentation? :)

This comment has been minimized.

Copy link
@kwek20

kwek20 Aug 25, 2018

Author Member

Not sure why it did that, i checked in code and it doesnt look like that :o

This comment has been minimized.

Copy link
@rajivshah3

rajivshah3 Aug 28, 2018

Contributor

It might happen if you use tabs instead of spaces (https://www.youtube.com/watch?v=SsoOG6ZeyUI :trollface: )

This comment has been minimized.

Copy link
@GalRogozinski

GalRogozinski Aug 30, 2018

Member

Hmm I don't see it fixed yet... You can configure your IDE to convert tabs to spaces.

@@ -25,7 +26,7 @@
//API
protected int port = Defaults.API_PORT;
protected String apiHost = Defaults.API_HOST;
protected List<String> remoteLimitApi = new ArrayList<>();
protected List<String> remoteLimitApi = new ArrayList<>(Arrays.asList(Defaults.REMOTE_LIMIT_API));

This comment has been minimized.

Copy link
@GalRogozinski

GalRogozinski Aug 25, 2018

Member

Hmm I think wrapping with Collections.unmodifiableList() would have been more suitable than ArrayList...

int API_PORT = 14265;
String API_HOST = "localhost";
String[] REMOTE_LIMIT_API = new String[] {"addNeighbors", "getNeighbors", "removeNeighbors"};

This comment has been minimized.

Copy link
@GalRogozinski

GalRogozinski Aug 25, 2018

Member

Change to List<String> REMOTE_LIMIT_API

In IotaUtils you can add the following method:

 public static <T> List<T> createImmutableList(T... a) {
        return Collections.unmodifiableList(Arrays.asList(a));
    }

Note that once we upgrade Java we can start using List.of() instead of doing this ugly thing.
See:
https://docs.oracle.com/javase/9/docs/api/java/util/List.html

@iotaledger iotaledger deleted a comment from codacy-bot Aug 27, 2018

@kwek20 kwek20 changed the title Added defaults for remote-limt-api so sensitice calls are blocked by … Added defaults for remote-limt-api so sensitive calls are blocked by … Aug 30, 2018

@@ -600,9 +601,10 @@ protected void setBelowMaxDepthTransactionLimit(int maxAnalyzedTransactions) {
}

public interface Defaults {
//API
//API

This comment has been minimized.

Copy link
@GalRogozinski

GalRogozinski Aug 30, 2018

Member

Hmm I don't see it fixed yet... You can configure your IDE to convert tabs to spaces.

int API_PORT = 14265;
String API_HOST = "localhost";
List<String> REMOTE_LIMIT_API = IotaUtils.createImmutableList("addNeighbors", "getNeighbors", "removeNeighbors", "attachToTangle", "interruptAttachingToTangle");

This comment has been minimized.

Copy link
@GalRogozinski

GalRogozinski Aug 30, 2018

Member

Can you set your IDE to have a column width of 120.
I will try to add more checkstyle rules real soon. I know style comments are annoying. A computer should give them and not a human.

@GalRogozinski

This comment has been minimized.

Copy link
Member

GalRogozinski commented Sep 4, 2018

@jakubcech and @DyrellC
Before this is released we should have an automation test.

@alon-e

alon-e approved these changes Sep 6, 2018

@GalRogozinski GalRogozinski merged commit 2250b0a into iotaledger:dev Sep 16, 2018

1 of 2 checks passed

Codacy/PR Quality Review Codacy was unable to analyse your pull request.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.