Skip to content

fix: restrict json rpc public methods#4921

Closed
ethever wants to merge 1 commit into
Scottcjn:mainfrom
ethever:ethever/fix-json-rpc-method-whitelist-4601
Closed

fix: restrict json rpc public methods#4921
ethever wants to merge 1 commit into
Scottcjn:mainfrom
ethever:ethever/fix-json-rpc-method-whitelist-4601

Conversation

@ethever
Copy link
Copy Markdown

@ethever ethever commented May 13, 2026

Summary

Tests

  • git diff --check origin/main...HEAD
  • python3 -m py_compile rips/rustchain-core/api/rpc.py tests/test_json_rpc_method_whitelist.py
  • PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 uv run --no-project --with pytest --with flask python -m pytest tests/test_json_rpc_method_whitelist.py -q -> 3 passed
  • python3 tools/bcos_spdx_check.py --base-ref origin/main -> OK

No live node or production RPC service was used.

@ethever
fix: restrict json rpc public methods
6572044 
 - add a read-only allowlist for the /rpc aggregate endpoint

 - block state-changing RPC methods such as submitProof createProposal and vote

 - add regressions for denied writes allowed reads and malformed params
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 13, 2026

Welcome to RustChain! Thanks for your first pull request.

Before we review, please make sure:

  • Your PR has a BCOS-L1 or BCOS-L2 label
  • New code files include an SPDX license header
  • You've tested your changes against the live node

Bounty tiers: Micro (1-10 RTC) | Standard (20-50) | Major (75-100) | Critical (100-150)

A maintainer will review your PR soon. Thanks for contributing!

@github-actions github-actions Bot added size/M PR: 51-200 lines BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) tests Test suite changes labels May 13, 2026
@ethever
Copy link
Copy Markdown
Author

ethever commented May 13, 2026

Checklist note: I do not have permission to apply repository labels from this fork. This is a JSON-RPC dispatch hardening fix for #4601; I would classify it as BCOS-L1 or BCOS-L2 depending on maintainer severity policy. Local validation and BCOS SPDX check are listed in the PR body.

Payout wallet / miner ID: b3a58f80a97bae5e2b438894aa85600cb0c066RTC

@ethever ethever mentioned this pull request May 13, 2026
Open
shuibui
shuibui approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@shuibui shuibui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: Approve

Good fix.

**Verdict: Approve.

shuibui
shuibui approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@shuibui shuibui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: Approve

Good fix.

**Verdict: Approve.

shuibui
shuibui approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@shuibui shuibui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: Approve

Good fix.

**Verdict: Approve.

shuibui
shuibui approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@shuibui shuibui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: Approve

Good fix.

**Verdict: Approve.

shuibui
shuibui approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@shuibui shuibui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: Approve

Good fix.

**Verdict: Approve.

shuibui
shuibui approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@shuibui shuibui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: Approve

Good fix.

**Verdict: Approve.

shuibui
shuibui approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@shuibui shuibui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: Approve

Good fix.

**Verdict: Approve.

shuibui
shuibui approved these changes May 13, 2026
View reviewed changes
Copy link
Copy Markdown

@shuibui shuibui left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: Approve

Good fix.

**Verdict: Approve.

@ethever
Copy link
Copy Markdown
Author

ethever commented May 13, 2026

Closing this because it duplicates the older open fix #4802 for #4601. I missed that prior PR because the issue itself had no linked comment. Keeping the queue clean rather than asking maintainers to review duplicate JSON-RPC allowlist patches.

@ethever ethever closed this May 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@shuibui shuibui shuibui approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) size/M PR: 51-200 lines tests Test suite changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[SECURITY] JSON-RPC /rpc endpoint allows arbitrary method invocation

2 participants

@ethever @shuibui