Skip to content

Strip RPC URLs from generated dotrain to prevent API token leak (#2165)#2719

Open
thedavidmeister wants to merge 5 commits into
mainfrom
2026-06-13-issue-2165
Open

Strip RPC URLs from generated dotrain to prevent API token leak (#2165)#2719
thedavidmeister wants to merge 5 commits into
mainfrom
2026-06-13-issue-2165

Conversation

@thedavidmeister

Copy link
Copy Markdown
Contributor

Fixes #2165

Problem

generate_dotrain_for_deployment() (crates/common/src/dotrain_order.rs) copied the deployment network's networks section verbatim into the dotrain it produces. That generated dotrain is shared with others and embedded into on-chain order metadata (via AddOrderArgs::new_from_deployment), so any private API token baked into a user's RPC URL — whether in a path segment (/v2/<key>) or a query string (?apikey=<token>) — leaked to everyone who could read the order.

Fix

Following the existing vault-id stripping pattern in the same function, a new strip_rpcs_from_network helper replaces every RPC URL in the emitted network entry with a non-secret placeholder (https://rpc.example.com) before the dotrain is returned.

The placeholder is a parseable URL, so the required, non-empty rpcs array stays structurally valid and the generated dotrain still parses end-to-end. Consumers (the webapp / local settings) inject their own RPCs at use time, which is exactly what the issue asks for ("remove/strip the rpc urls and put local/webapp settings in place of those if needed").

Test

Adds test_generate_dotrain_for_deployment_strips_rpc_api_tokens, a discriminating test that:

  • embeds two distinct secrets in the network's RPC URLs (a path-style API key and a query-string token);
  • asserts neither secret string, nor either full secret-bearing URL, appears anywhere in the generated dotrain (the core security assertion);
  • asserts each of the two rpc entries is replaced by the placeholder;
  • asserts the generated dotrain still parses via DotrainOrder::create.

Verified the test FAILS against the unpatched function (panics with "path API key leaked into generated dotrain") and PASSES with the fix.

Verification

  • cargo test -p raindex_common --lib dotrain_order:: — 18 passed, 0 failed.
  • cargo test -p raindex_common --lib raindex_order_builder:: — 92 passed, 0 failed (these consume generate_dotrain_for_deployment and recompute their expected hashes, so they self-consistently track the content change).
  • cargo fmt applied.

🤖 Generated with Claude Code

generate_dotrain_for_deployment() copied the deployment network's
`networks` section verbatim into the dotrain it produces. That dotrain is
shared and embedded into on-chain order metadata, so any private API token
baked into a user's RPC URL (path segment or query string) leaked to
everyone who could read the order.

Following the existing vault-id stripping pattern, replace every RPC URL in
the emitted network entry with a non-secret placeholder before returning.
The placeholder is a parseable URL so the required, non-empty `rpcs` array
stays structurally valid and the generated dotrain still parses;
consumers (webapp / local settings) inject their own RPCs at use time.

Adds a discriminating test that embeds two secrets (a path-style API key
and a query token) in the network RPC URLs and asserts neither secret, nor
the secret-bearing URLs, appears anywhere in the generated dotrain, that
each rpc entry is replaced by the placeholder, and that the result still
parses. The test fails against the unpatched function (secret leaks
through).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@thedavidmeister thedavidmeister self-assigned this Jun 13, 2026
@coderabbitai

coderabbitai Bot commented Jun 13, 2026

Copy link
Copy Markdown
Contributor

Warning

Review limit reached

@thedavidmeister, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 37 minutes and 11 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: d8862bc3-66ad-4709-a291-6f90f6f9b87a

📥 Commits

Reviewing files that changed from the base of the PR and between f887bca and 5f2075f.

📒 Files selected for processing (1)
  • crates/common/src/dotrain_order.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch 2026-06-13-issue-2165

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

thedavidmeister and others added 4 commits June 15, 2026 16:37
Drop the four !generated.contains() checks that hard-wire specific
secret strings into the test: those assertions are fragile (any
rewording of the URL silently breaks coverage) and redundant.

The structural check already in the test — every rpcs entry is
STRIPPED_RPC_PLACEHOLDER — is the complete, correct invariant: if every
RPC is replaced with the placeholder then by construction no secret can
survive in the rpcs field, regardless of the specific secret values.

Refs #2165
Co-Authored-By: Claude <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Replace/strip rpc urls before deploying an order

1 participant