RPC test nodes may be on the Internet

[solardiz]

Zcash's RPC tests spawn test nodes with configuration files like:

regtest=1
showmetrics=0
rpcuser=rt
rpcpassword=rt
port=11994
rpcport=12994
listenonion=0

This results in them being potentially accessible from the Internet - if the system is on the Internet and incoming traffic is not filtered. Combined with the hard-coded RPC password above, this probably allows for at least confusing the tests, and possibly much worse.

I suggest that this be added:

rpcbind=127.0.0.1
rpcallowip=127.0.0.1/32

[solardiz]

It would also be nice to generate and use a random password to prevent attacks from the same host, but that's both less important and more work to implement. Please feel free to open a separate issue to track this suggestion as well, if desired.

[mdr0id]

Thank you for submitting this issue, we will change the mentioned params in the config.

[holmesworcester]

It would also be nice to generate and use a random password to prevent attacks from the same host, but that's both less important and more work to implement.

We're interested in this. Malicious locally running code accessing the user's RPC interface is a security issue we're concerned about for the Zbay wallet. Did another issue get created for this?

[kowalski]

I'd also like to point out that fix proposed by @solardix does help for attacker using same local network.
However it still doesn't solve a problem with malicious sites.
A malicious code running in the browser may still access localhost:11994 and do harm.

This isn't the case only for test nodes. It's more worrying for mainnet nodes that people are running locally.

An open tcp port is always a security risk.

I think it would be great if it was possible to have rpc interface listening on unix socket instead of tcp socket. In my personal opinion this should be default behavior on Linux and Mac.