Strip RPC URLs from generated dotrain to prevent API token leak (#2165)#2719
Strip RPC URLs from generated dotrain to prevent API token leak (#2165)#2719thedavidmeister wants to merge 5 commits into
Conversation
generate_dotrain_for_deployment() copied the deployment network's `networks` section verbatim into the dotrain it produces. That dotrain is shared and embedded into on-chain order metadata, so any private API token baked into a user's RPC URL (path segment or query string) leaked to everyone who could read the order. Following the existing vault-id stripping pattern, replace every RPC URL in the emitted network entry with a non-secret placeholder before returning. The placeholder is a parseable URL so the required, non-empty `rpcs` array stays structurally valid and the generated dotrain still parses; consumers (webapp / local settings) inject their own RPCs at use time. Adds a discriminating test that embeds two secrets (a path-style API key and a query token) in the network RPC URLs and asserts neither secret, nor the secret-bearing URLs, appears anywhere in the generated dotrain, that each rpc entry is replaced by the placeholder, and that the result still parses. The test fails against the unpatched function (secret leaks through). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Warning Review limit reached
More reviews will be available in 37 minutes and 11 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Drop the four !generated.contains() checks that hard-wire specific secret strings into the test: those assertions are fragile (any rewording of the URL silently breaks coverage) and redundant. The structural check already in the test — every rpcs entry is STRIPPED_RPC_PLACEHOLDER — is the complete, correct invariant: if every RPC is replaced with the placeholder then by construction no secret can survive in the rpcs field, regardless of the specific secret values. Refs #2165 Co-Authored-By: Claude <noreply@anthropic.com>
Fixes #2165
Problem
generate_dotrain_for_deployment()(crates/common/src/dotrain_order.rs) copied the deployment network'snetworkssection verbatim into the dotrain it produces. That generated dotrain is shared with others and embedded into on-chain order metadata (viaAddOrderArgs::new_from_deployment), so any private API token baked into a user's RPC URL — whether in a path segment (/v2/<key>) or a query string (?apikey=<token>) — leaked to everyone who could read the order.Fix
Following the existing vault-id stripping pattern in the same function, a new
strip_rpcs_from_networkhelper replaces every RPC URL in the emitted network entry with a non-secret placeholder (https://rpc.example.com) before the dotrain is returned.The placeholder is a parseable URL, so the required, non-empty
rpcsarray stays structurally valid and the generated dotrain still parses end-to-end. Consumers (the webapp / local settings) inject their own RPCs at use time, which is exactly what the issue asks for ("remove/strip the rpc urls and put local/webapp settings in place of those if needed").Test
Adds
test_generate_dotrain_for_deployment_strips_rpc_api_tokens, a discriminating test that:DotrainOrder::create.Verified the test FAILS against the unpatched function (panics with "path API key leaked into generated dotrain") and PASSES with the fix.
Verification
cargo test -p raindex_common --lib dotrain_order::— 18 passed, 0 failed.cargo test -p raindex_common --lib raindex_order_builder::— 92 passed, 0 failed (these consumegenerate_dotrain_for_deploymentand recompute their expected hashes, so they self-consistently track the content change).cargo fmtapplied.🤖 Generated with Claude Code