Uniform and extended security warnings

- added security warning to producer API plugin - made existing checks uniform and more robust - added security error for wallet when its exposed to the LAN and unencrypted EOSIO/eos#3598 EOSIO/eos#3599

Uniform and extended security warnings
- added security warning to producer API plugin - made existing checks uniform and more robust - added security error for wallet when its exposed to the LAN and unencrypted EOSIO/eos#3598 EOSIO/eos#3599
62b99b5c · Bart Wyatt · 29799eae · 62b99b5c · 62b99b5c · 62b99b5c
6 changed file
--- a/plugins/http_plugin/http_plugin.cpp
+++ b/plugins/http_plugin/http_plugin.cpp
@@ -411,4 +411,12 @@ namespace eosio {
      }
   }

+   bool http_plugin::is_on_loopback() const {
+      return (!my->listen_endpoint || my->listen_endpoint->address().is_loopback()) && (!my->https_listen_endpoint || my->https_listen_endpoint->address().is_loopback());
+   }
+
+   bool http_plugin::is_secure() const {
+      return (!my->listen_endpoint || my->listen_endpoint->address().is_loopback());
+   }
+
 }
--- a/plugins/http_plugin/include/eosio/http_plugin/http_plugin.hpp
+++ b/plugins/http_plugin/include/eosio/http_plugin/http_plugin.hpp
@@ -76,6 +76,9 @@ namespace eosio {
        // standard exception handling for api handlers
        static void handle_exception( const char *api_name, const char *call_name, const string& body, url_response_callback cb );

+        bool is_on_loopback() const;
+        bool is_secure() const;
+
      private:
        std::unique_ptr<class http_plugin_impl> my;
   };

--- a/plugins/net_api_plugin/net_api_plugin.cpp
+++ b/plugins/net_api_plugin/net_api_plugin.cpp
@@ -83,19 +83,16 @@ void net_api_plugin::plugin_startup() {
 }

 void net_api_plugin::plugin_initialize(const variables_map& options) {
-   if (options.count("http-server-address")) {
-      const auto& lipstr = options.at("http-server-address").as<string>();
-      const auto& host = lipstr.substr(0, lipstr.find(':'));
-      if (host != "localhost" && host != "127.0.0.1") {
-         wlog("\n"
-              "*************************************\n"
-              "*                                   *\n"
-              "*  --  Net API NOT on localhost  -- *\n"
-              "*                                   *\n"
-              "*   this may be abused if exposed   *\n"
-              "*                                   *\n"
-              "*************************************\n");
-      }
+   const auto& _http_plugin = app().get_plugin<http_plugin>();
+   if (!_http_plugin.is_on_loopback()) {
+      wlog("\n"
+           "**********SECURITY WARNING**********\n"
+           "*                                  *\n"
+           "* --         Net API            -- *\n"
+           "* - EXPOSED to the LOCAL NETWORK - *\n"
+           "* - USE ONLY ON SECURE NETWORKS! - *\n"
+           "*                                  *\n"
+           "************************************\n");
   }
 }


--- a/plugins/net_plugin/net_plugin.cpp
+++ b/plugins/net_plugin/net_plugin.cpp
@@ -3121,4 +3121,5 @@ namespace eosio {
      }
      return 0;
   }
+
 }
--- a/plugins/producer_api_plugin/producer_api_plugin.cpp
+++ b/plugins/producer_api_plugin/producer_api_plugin.cpp
@@ -80,6 +80,19 @@ void producer_api_plugin::plugin_startup() {
 }

 void producer_api_plugin::plugin_initialize(const variables_map& options) {
+   const auto& _http_plugin = app().get_plugin<http_plugin>();
+   if (!_http_plugin.is_on_loopback()) {
+      wlog("\n"
+           "**********SECURITY WARNING**********\n"
+           "*                                  *\n"
+           "* --        Producer API        -- *\n"
+           "* - EXPOSED to the LOCAL NETWORK - *\n"
+           "* - USE ONLY ON SECURE NETWORKS! - *\n"
+           "*                                  *\n"
+           "************************************\n");
+
+   }
+
 }



--- a/plugins/wallet_api_plugin/wallet_api_plugin.cpp
+++ b/plugins/wallet_api_plugin/wallet_api_plugin.cpp
@@ -100,18 +100,29 @@ void wallet_api_plugin::plugin_startup() {
 }

 void wallet_api_plugin::plugin_initialize(const variables_map& options) {
-   if (options.count("http-server-address")) {
-      const auto& lipstr = options.at("http-server-address").as<string>();
-      const auto& host = lipstr.substr(0, lipstr.find(':'));
-      if (host != "localhost" && host != "127.0.0.1") {
+   const auto& _http_plugin = app().get_plugin<http_plugin>();
+   if (!_http_plugin.is_on_loopback()) {
+      if (!_http_plugin.is_secure()) {
+         elog("\n"
+              "********!!!SECURITY ERROR!!!********\n"
+              "*                                  *\n"
+              "* --       Wallet API           -- *\n"
+              "* - EXPOSED to the LOCAL NETWORK - *\n"
+              "* -  HTTP RPC is NOT encrypted   - *\n"
+              "* - Password and/or Private Keys - *\n"
+              "* - are at HIGH risk of exposure - *\n"
+              "*                                  *\n"
+              "************************************\n");
+      } else {
         wlog("\n"
-              "*************************************\n"
-              "*                                   *\n"
-              "*  --   Wallet NOT on localhost  -- *\n"
-              "*  - Password and/or Private Keys - *\n"
-              "*  - are transferred unencrypted. - *\n"
-              "*                                   *\n"
-              "*************************************\n");
+              "**********SECURITY WARNING**********\n"
+              "*                                  *\n"
+              "* --       Wallet API           -- *\n"
+              "* - EXPOSED to the LOCAL NETWORK - *\n"
+              "* - Password and/or Private Keys - *\n"
+              "* -   are at risk of exposure    - *\n"
+              "*                                  *\n"
+              "************************************\n");
      }
   }
 }