fix(seismic-node): disable trace_* and ots_* RPC namespaces (Veridise 1207)#407
Merged
Merged
Conversation
… 1207) Trace-serving endpoints expose execution metadata — gas usage, revert paths, call-tree shape, touched addresses — that is a side channel on Seismic's private state even after payload sanitization strips calldata, return data, memory, stack, and storage diffs. We agree with the audit recommendation to disable tracing entirely rather than rely on sanitization alone. Prior state: debug_* was already removed wholesale at RPC startup (#390), and payload sanitizers were wired into every debug/trace handler (#354), with the sanitizer logic centralized in seismic-revm-inspectors. The gap the finding identifies is real — the trace_* namespace remained registrable, and ots_* (Otterscan) wraps the same tracing internals (ots_traceTransaction returned unsanitized call-tree data until #405). This removes the two remaining trace-serving namespaces at RPC startup, in one loop alongside debug_*, regardless of the operator's --http.api selection (so an explicit `--http.api trace,ots` cannot re-expose them): - trace_*: parity-style tracing; also honors a caller-supplied `from` without the sanitization eth_call applies - ots_*: Otterscan endpoints Defense in depth, should tracing ever be re-enabled: the payload sanitizers in crates/rpc/rpc/src/{debug,trace}.rs and the ots_* handler sanitization (#405, Veridise 1085) stay in place. The intent is that any future re-enablement serves only sanitized traces; fully unsanitized traces are meant only for local dev nodes (sanvil), where there is no private state to protect. If tracing is ever reintroduced, we will treat all returned metadata as sensitive and audit the sanitizers from first principles, including applying the same `from`-sanitization that eth_call uses. Add an e2e regression test that launches a node with all namespaces configured and asserts debug_*/trace_*/ots_* methods return method-not-found while eth_blockNumber still works; this also backfills coverage for the earlier debug_* removal, which shipped without a test. Also disable IPC on e2e test node launches (shared test_rpc_server_args helper): tests talk to nodes over local HTTP only, and the default IPC endpoint is a global /tmp socket that sandboxed environments forbid binding.
Contributor
|
Disables trace-serving RPC namespaces (debug_, trace_, ots_*) on Seismic nodes to prevent metadata side-channel attacks on private state. Phase 2
Phase 3
LGTM — The security hardening is well-reasoned and properly implemented. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Trace-serving endpoints expose execution metadata — gas usage, revert paths, call-tree shape, touched addresses — that is a side channel on Seismic's private state even after payload sanitization strips calldata, return data, memory, stack, and storage diffs. We agree with the audit recommendation to disable tracing entirely rather than rely on sanitization alone.
Prior state: debug_* was already removed wholesale at RPC startup (#390), and payload sanitizers were wired into every debug/trace handler (#354), with the sanitizer logic centralized in seismic-revm-inspectors. The gap the finding identifies is real — the trace_* namespace remained registrable, and ots_* (Otterscan) wraps the same tracing internals (ots_traceTransaction returned unsanitized call-tree data until #405).
This removes the two remaining trace-serving namespaces at RPC startup, in one loop alongside debug_*, regardless of the operator's --http.api selection (so an explicit
--http.api trace,otscannot re-expose them):fromwithout the sanitization eth_call appliesDefense in depth, should tracing ever be re-enabled: the payload sanitizers in crates/rpc/rpc/src/{debug,trace}.rs and the ots_* handler sanitization (#405, Veridise 1085) stay in place. The intent is that any future re-enablement serves only sanitized traces; fully unsanitized traces are meant only for local dev nodes (sanvil), where there is no private state to protect.
If tracing is ever reintroduced, we will treat all returned metadata as sensitive and audit the sanitizers from first principles, including applying the same
from-sanitization that eth_call uses.Add an e2e regression test that launches a node with all namespaces configured and asserts debug_/trace_/ots_* methods return method-not-found while eth_blockNumber still works; this also backfills coverage for the earlier debug_* removal, which shipped without a test.
Also disable IPC on e2e test node launches (shared test_rpc_server_args helper): tests talk to nodes over local HTTP only, and the default IPC endpoint is a global /tmp socket that sandboxed environments forbid binding.