From eb8b85c0c9011cbfc07a09cab558878e4678ae06 Mon Sep 17 00:00:00 2001 From: ValarDragon Date: Sat, 7 Jul 2018 11:27:57 -0700 Subject: [PATCH 1/5] Add SECURITY.MD Closes #1267 --- SECURITY.md | 38 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 000000000..9883da4c4 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,38 @@ +# Security + +As part of our [Coordinated Vulnerability Disclosure +Policy](https://tendermint.com/security), we operate a bug bounty. +See the policy for more details on submissions and rewards. + +The following is a list of examples of the kinds of bugs we're most interested in for +the cosmos-sdk. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for tendermint / lower level libs. + +## Specification +- Conceptual flaws +- Ambiguities, inconsistencies, or incorrect statements +- Mis-match between specification and implementation of any component + +## Modules +- x/staking +- x/slashing +- SDK standard datatype library + +We are interested in bugs in other modules, however the above are most likely to have +significant vulnerabilities, due to the complexity / nuance involved + +## How we process Tx parameters +- Integer operations on tx parameters, especially sdk.Int / sdk.Uint +- Gas calculation & parameter choices +- Tx signature verification (code in x/auth/ante.go) +- Possible Node DoS vectors. (Perhaps due to Gas weighting / non constant timing) + +## Handling private keys +- HD key derivation, local and Ledger, and all key-management functionality +- Side-channel attack vectors with our implementations + +## Least capabilities system +- Attack vectors in our least capabilities system +- Scenarios where a chain runs a "Malicious module" + - One example is a malicious module getting priviledge escalation to read + a store which it doesn't have the key for + From 4c5850d405fbb8eb9a0cbe8e686226ad62904341 Mon Sep 17 00:00:00 2001 From: Jeremiah Andrews Date: Sat, 7 Jul 2018 12:34:11 -0700 Subject: [PATCH 2/5] setting default to archive mode / no pruning --- store/iavlstore.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/store/iavlstore.go b/store/iavlstore.go index 26a0c9ea1..e5d509572 100644 --- a/store/iavlstore.go +++ b/store/iavlstore.go @@ -16,7 +16,7 @@ import ( const ( defaultIAVLCacheSize = 10000 defaultIAVLNumRecent = 100 - defaultIAVLStoreEvery = 10000 + defaultIAVLStoreEvery = 1 ) // load the iavl store From 3a7a19deec2094323e07beff728fa77b117bdba9 Mon Sep 17 00:00:00 2001 From: ValarDragon Date: Sat, 7 Jul 2018 12:44:06 -0700 Subject: [PATCH 3/5] Address comments --- SECURITY.md | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 9883da4c4..c4e600735 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -5,7 +5,7 @@ Policy](https://tendermint.com/security), we operate a bug bounty. See the policy for more details on submissions and rewards. The following is a list of examples of the kinds of bugs we're most interested in for -the cosmos-sdk. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for tendermint / lower level libs. +the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for Tendermint, and lower-level libraries, e.g. IAVL. ## Specification - Conceptual flaws @@ -15,7 +15,8 @@ the cosmos-sdk. See [here](https://github.com/tendermint/tendermint/blob/master/ ## Modules - x/staking - x/slashing -- SDK standard datatype library +- x/types +- x/gov We are interested in bugs in other modules, however the above are most likely to have significant vulnerabilities, due to the complexity / nuance involved @@ -29,10 +30,5 @@ significant vulnerabilities, due to the complexity / nuance involved ## Handling private keys - HD key derivation, local and Ledger, and all key-management functionality - Side-channel attack vectors with our implementations - -## Least capabilities system -- Attack vectors in our least capabilities system -- Scenarios where a chain runs a "Malicious module" - - One example is a malicious module getting priviledge escalation to read - a store which it doesn't have the key for - + - e.g. key exfiltration based on time or memory-access patterns when decrypting privkey + From 8603eb2f62f99d5fd719120e6c61531e668c1c78 Mon Sep 17 00:00:00 2001 From: ValarDragon Date: Mon, 9 Jul 2018 11:36:43 -0700 Subject: [PATCH 4/5] Remove mismatch in specification section (for now) --- SECURITY.md | 5 ----- 1 file changed, 5 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index c4e600735..4eddc8c4f 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -7,11 +7,6 @@ See the policy for more details on submissions and rewards. The following is a list of examples of the kinds of bugs we're most interested in for the Cosmos SDK. See [here](https://github.com/tendermint/tendermint/blob/master/SECURITY.md) for vulnerabilities we are interested in for Tendermint, and lower-level libraries, e.g. IAVL. -## Specification -- Conceptual flaws -- Ambiguities, inconsistencies, or incorrect statements -- Mis-match between specification and implementation of any component - ## Modules - x/staking - x/slashing From 7fc23631911998d44752405bb8d8c00ba51edccc Mon Sep 17 00:00:00 2001 From: Aleksandr Bezobchuk Date: Mon, 9 Jul 2018 14:52:24 -0400 Subject: [PATCH 5/5] Merge pull request #1601: Fix LCD rest-server Command --- CHANGELOG.md | 1 + client/lcd/root.go | 43 +++++++++++++++++++++++++------------------ 2 files changed, 26 insertions(+), 18 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 58cf20c87..e63d01c4b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -45,6 +45,7 @@ BREAKING CHANGES * [lcd] Switch key creation output to return bech32 * [x/stake] store-value for delegation, validator, ubd, and red do not hold duplicate information contained store-key * [gaiad] genesis transactions now use bech32 addresses / pubkeys +* [lcd] Removed shorthand CLI flags (`a`, `c`, `n`, `o`) DEPRECATED * [cli] Deprecate `--name` flag in commands that send txs, in favor of `--from` diff --git a/client/lcd/root.go b/client/lcd/root.go index 5c427546a..7406a3056 100644 --- a/client/lcd/root.go +++ b/client/lcd/root.go @@ -4,14 +4,6 @@ import ( "net/http" "os" - "github.com/gorilla/mux" - "github.com/spf13/cobra" - "github.com/spf13/viper" - "github.com/tendermint/tendermint/libs/log" - - cmn "github.com/tendermint/tendermint/libs/common" - tmserver "github.com/tendermint/tendermint/rpc/lib/server" - client "github.com/cosmos/cosmos-sdk/client" "github.com/cosmos/cosmos-sdk/client/context" keys "github.com/cosmos/cosmos-sdk/client/keys" @@ -24,6 +16,12 @@ import ( ibc "github.com/cosmos/cosmos-sdk/x/ibc/client/rest" slashing "github.com/cosmos/cosmos-sdk/x/slashing/client/rest" stake "github.com/cosmos/cosmos-sdk/x/stake/client/rest" + "github.com/gorilla/mux" + "github.com/spf13/cobra" + "github.com/spf13/viper" + cmn "github.com/tendermint/tendermint/libs/common" + "github.com/tendermint/tendermint/libs/log" + tmserver "github.com/tendermint/tendermint/rpc/lib/server" ) // ServeCommand will generate a long-running rest server @@ -40,28 +38,35 @@ func ServeCommand(cdc *wire.Codec) *cobra.Command { RunE: func(cmd *cobra.Command, args []string) error { listenAddr := viper.GetString(flagListenAddr) handler := createHandler(cdc) - logger := log.NewTMLogger(log.NewSyncWriter(os.Stdout)). - With("module", "rest-server") + logger := log.NewTMLogger(log.NewSyncWriter(os.Stdout)).With("module", "rest-server") maxOpen := viper.GetInt(flagMaxOpenConnections) - listener, err := tmserver.StartHTTPServer(listenAddr, handler, logger, tmserver.Config{MaxOpenConnections: maxOpen}) + + listener, err := tmserver.StartHTTPServer( + listenAddr, handler, logger, + tmserver.Config{MaxOpenConnections: maxOpen}, + ) if err != nil { return err } + logger.Info("REST server started") - // Wait forever and cleanup + // wait forever and cleanup cmn.TrapSignal(func() { err := listener.Close() logger.Error("error closing listener", "err", err) }) + return nil }, } - cmd.Flags().StringP(flagListenAddr, "a", "tcp://localhost:1317", "Address for server to listen on") - cmd.Flags().String(flagCORS, "", "Set to domains that can make CORS requests (* for all)") - cmd.Flags().StringP(client.FlagChainID, "c", "", "ID of chain we connect to") - cmd.Flags().StringP(client.FlagNode, "n", "tcp://localhost:26657", "Node to connect to") - cmd.Flags().IntP(flagMaxOpenConnections, "o", 1000, "Maximum open connections") + + cmd.Flags().String(flagListenAddr, "tcp://localhost:1317", "The address for the server to listen on") + cmd.Flags().String(flagCORS, "", "Set the domains that can make CORS requests (* for all)") + cmd.Flags().String(client.FlagChainID, "", "The chain ID to connect to") + cmd.Flags().String(client.FlagNode, "tcp://localhost:26657", "Address of the node to connect to") + cmd.Flags().Int(flagMaxOpenConnections, 1000, "The number of maximum open connections") + return cmd } @@ -75,9 +80,10 @@ func createHandler(cdc *wire.Codec) http.Handler { ctx := context.NewCoreContextFromViper() - // TODO make more functional? aka r = keys.RegisterRoutes(r) + // TODO: make more functional? aka r = keys.RegisterRoutes(r) r.HandleFunc("/version", CLIVersionRequestHandler).Methods("GET") r.HandleFunc("/node_version", NodeVersionRequestHandler(ctx)).Methods("GET") + keys.RegisterRoutes(r) rpc.RegisterRoutes(ctx, r) tx.RegisterRoutes(ctx, r, cdc) @@ -87,5 +93,6 @@ func createHandler(cdc *wire.Codec) http.Handler { stake.RegisterRoutes(ctx, r, cdc, kb) slashing.RegisterRoutes(ctx, r, cdc, kb) gov.RegisterRoutes(ctx, r, cdc) + return r }