Skip to content

Only allow HTTP requests authorized by the committee#3427

Merged
jvff merged 6 commits intolinera-io:mainfrom
jvff:http-request-allow-list
Mar 9, 2025
Merged

Only allow HTTP requests authorized by the committee#3427
jvff merged 6 commits intolinera-io:mainfrom
jvff:http-request-allow-list

Conversation

@jvff
Copy link
Copy Markdown
Contributor

@jvff jvff commented Feb 27, 2025
edited
Loading

Motivation

For security reasons, we would like to initially limit the hosts that applications can send HTTP requests to.

Proposal

Add an allow-list of hosts to the ResourceControlPolicy configured by a committee. Only perform HTTP requests in the execution state actor if the target host is in the list.

Test Plan

Tests that exercise the allow list were added in PR #3509.

Release Plan

  • Nothing to do / These changes follow the usual release cycle, because this is a new feature that should be included in the next release and testnet.

Links

@jvff jvff requested review from afck, deuszx and ma2bd February 27, 2025 02:54
@jvff jvff self-assigned this Feb 27, 2025
@jvff jvff added the enhancement New feature or request label Feb 27, 2025
@jvff jvff added this to the Testnet #2 milestone Feb 27, 2025
deuszx
deuszx reviewed Feb 27, 2025
View reviewed changes
deuszx
deuszx reviewed Feb 27, 2025
View reviewed changes
linera-execution/src/execution_state_actor.rs

let response = Client::new()
.request(request.method.into(), request.url)
.request(request.method.into(), url)
Copy link
Copy Markdown
Contributor

@deuszx deuszx Feb 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we whitelist also methods?

Copy link
Copy Markdown
Contributor Author

@jvff jvff Feb 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think that's needed. We could make the allow list more complicated, mapping hosts to a set of allowed methods, but where do we draw the line? We could also limit headers, ports, etc. Right now I'm assuming that the allowed HTTP servers will be safe to communicated with.

@jvff jvff mentioned this pull request Mar 8, 2025
Merged
jvff added a commit that referenced this pull request Mar 8, 2025
@jvff
Support custom ResourceControlPolicy in integration tests (#3505)
34e86f6 
## Motivation

In integration tests, the `ResourceControlPolicy` was hardcoded to use
the default value. With the addition of an HTTP allow list (#3427), the
tests aren't able to test any HTTP requests.

## Proposal

Allow changing the `ResourceControlPolicy` used inside a test, allowing
to add hosts to the allow list. For the policy change to work, a new
committee and epoch must be published. Therefore the epoch and committee
can't be assumed to be constant anymore.

## Test Plan

Wrote some (upcoming) tests that try to perform an HTTP request without
changing the policy and after adding the host to the policy, and ensured
that the former fails while the latter succeeds.

## Release Plan

- These changes follow the usual release cycle, because this will help
with tests that use a feature that has not yet been released.

## Links

- [reviewer
checklist](https://github.com/linera-io/linera-protocol/blob/main/CONTRIBUTING.md#reviewer-checklist)
@jvff jvff force-pushed the http-request-allow-list branch 4 times, most recently from 1438770 to 509c313 Compare March 8, 2025 19:50
@jvff jvff marked this pull request as ready for review March 8, 2025 20:23
jvff added 6 commits March 9, 2025 03:05
@jvff
Add CLI option for genesis HTTP allow list
ab38a50 
Allow configuring the HTTP allow list for genesis.
@jvff
Add HTTP allow list to ResourceControlPolicy
21d872c 
Store on chain the HTTP allow list.
@jvff
Only allow HTTP requests to configured hosts
808aac1 
Fail if an attempt is made to perform an HTTP request to a host that's
not in the `ResourceControlPolicy`.
@jvff
Allow localhost access to local network tests
2b4381b 
Ensure that end-to-end tests using local networks can perform HTTP
queries to `localhost`.
@jvff
Only run Ethereum Tracker end-to-end test locally
d76ead9 
Move it from the `linera_net_tests` to the `local_net_tests`, so that it
is allowed to perform HTTP requests.
@jvff
Update block size in block size limit test
397dc90 
Use the new size of the valid block.
@jvff jvff force-pushed the http-request-allow-list branch from 509c313 to 397dc90 Compare March 9, 2025 03:10
@jvff jvff merged commit 1dee51b into linera-io:main Mar 9, 2025
23 checks passed
@jvff jvff deleted the http-request-allow-list branch March 9, 2025 03:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@deuszx deuszx deuszx left review comments

@ma2bd ma2bd ma2bd approved these changes

@afck afck Awaiting requested review from afck

Assignees

@jvff jvff

Labels

enhancement New feature or request

Projects

Core Protocol
Status: Done

Milestone

Testnet #2

Development

Successfully merging this pull request may close these issues.

3 participants

@jvff @ma2bd @deuszx