Problem: path parameter in debug_goTrace is not safe when serve public rpc (#576)

* Problem: no specific dir for the log from debug_goTrace

* lint

* allow any

* revert

* cleanup

* fix format

* fix config

* Apply suggestions from code review

---------

Co-authored-by: HuangYi <huang@crypto.com>

Author: mmsqe

CHANGELOG.md

@@ -110,6 +110,8 @@ Ref: https://keepachangelog.com/en/1.0.0/
 * [#555](https://github.com/crypto-org-chain/ethermint/pull/555) Update cometbft to 0.38.14 and rocksdb to 9.7.4.
 * [#565](https://github.com/crypto-org-chain/ethermint/pull/565) Add back CacheWrapWithTrace api.
 * [#563](https://github.com/crypto-org-chain/ethermint/pull/563) Bump ibc-go to v9.0.2.
+* [#576](https://github.com/crypto-org-chain/ethermint/pull/576) Add config `json-rpc.restrict-user-input` to restrict
+  user input when serving json-rpc in public.
 
 ## v0.21.x-cronos
 

rpc/namespaces/ethereum/debug/trace.go

@@ -22,9 +22,13 @@ package debug
 import (
 	"errors"
 	"os"
+	"path/filepath"
 	"runtime/trace"
+	"strings"
 
 	stderrors "github.com/pkg/errors"
+
+	srvflags "github.com/evmos/ethermint/server/flags"
 )
 
 // StartGoTrace turns on tracing, writing to the given file.
@@ -33,16 +37,46 @@ func (a *API) StartGoTrace(file string) error {
 	a.handler.mu.Lock()
 	defer a.handler.mu.Unlock()
 
+	restrictUserInput := a.ctx.Viper.GetBool(srvflags.JSONRPCRestrictUserInput)
+
 	if a.handler.traceFile != nil {
 		a.logger.Debug("trace already in progress")
 		return errors.New("trace already in progress")
 	}
-	fp, err := ExpandHome(file)
+	var err error
+	file, err = ExpandHome(file)
 	if err != nil {
 		a.logger.Debug("failed to get filepath for the CPU profile file", "error", err.Error())
 		return err
 	}
-	f, err := os.Create(fp)
+
+	file, err = filepath.Abs(file)
+	if err != nil {
+		a.logger.Debug("failed to get absolute path for the CPU profile file", "error", err.Error())
+		return err
+	}
+
+	if restrictUserInput {
+		// Ensure that the trace file is in the data directory.
+		absDataDir, err := filepath.Abs(a.ctx.Config.RootDir)
+		if err != nil {
+			a.logger.Debug("failed to get absolute path for the data directory", "error", err.Error())
+			return err
+		}
+
+		if !strings.HasPrefix(file, absDataDir) {
+			a.logger.Debug("trace file must be in the data directory")
+			return errors.New("trace file must be in the data directory")
+		}
+	}
+
+	var f *os.File
+	if restrictUserInput {
+		// Create the file with O_EXCL to ensure that the file does not exist.
+		f, err = os.OpenFile(file, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0o666)
+	} else {
+		f, err = os.Create(file)
+	}
 	if err != nil {
 		a.logger.Debug("failed to create go trace file", "error", err.Error())
 		return err

server/config/config.go

@@ -182,6 +182,9 @@ type JSONRPCConfig struct {
 	FixRevertGasRefundHeight int64 `mapstructure:"fix-revert-gas-refund-height"`
 	// ReturnDataLimit defines maximum number of bytes returned from `eth_call` or similar invocations
 	ReturnDataLimit int64 `mapstructure:"return-data-limit"`
+	// RestrictUserInput will restrict some user input to the JSON-RPC debug apis,
+	// must be set to true if serving debug namespace to the public.
+	RestrictUserInput bool `mapstructure:"restrict-user-input"`
 }
 
 // TLSConfig defines the certificate and matching private key for the server.
@@ -300,6 +303,7 @@ func DefaultJSONRPCConfig() *JSONRPCConfig {
 		MetricsAddress:           DefaultJSONRPCMetricsAddress,
 		FixRevertGasRefundHeight: DefaultFixRevertGasRefundHeight,
 		ReturnDataLimit:          DefaultReturnDataLimit,
+		RestrictUserInput:        false,
 	}
 }
 
@@ -435,6 +439,7 @@ func GetConfig(v *viper.Viper) (Config, error) {
 			MetricsAddress:           v.GetString("json-rpc.metrics-address"),
 			FixRevertGasRefundHeight: v.GetInt64("json-rpc.fix-revert-gas-refund-height"),
 			ReturnDataLimit:          v.GetInt64("json-rpc.return-data-limit"),
+			RestrictUserInput:        v.GetBool("json-rpc.restrict-user-input"),
 		},
 		TLS: TLSConfig{
 			CertificatePath: v.GetString("tls.certificate-path"),

server/config/toml.go

@@ -108,6 +108,10 @@ fix-revert-gas-refund-height = {{ .JSONRPC.FixRevertGasRefundHeight }}
 # Maximum number of bytes returned from eth_call or similar invocations.
 return-data-limit = {{ .JSONRPC.ReturnDataLimit }}
 
+# RestrictUserInput will restrict some user input to the JSON-RPC debug apis,
+# must be set to true if serving debug namespace to the public.
+restrict-user-input = {{ .JSONRPC.RestrictUserInput }}
+
 ###############################################################################
 ###                             TLS Configuration                           ###
 ###############################################################################

server/flags/flags.go

@@ -72,6 +72,7 @@ const (
 	JSONRPCEnableMetrics            = "metrics"
 	JSONRPCFixRevertGasRefundHeight = "json-rpc.fix-revert-gas-refund-height"
 	JSONRPCReturnDataLimit          = "json-rpc.return-data-limit"
+	JSONRPCRestrictUserInput        = "json-rpc.restrict-user-input"
 )
 
 // EVM flags

server/start.go

@@ -217,6 +217,7 @@ which accepts a path for the resulting pprof file.
 	cmd.Flags().Int(srvflags.JSONRPCMaxOpenConnections, config.DefaultMaxOpenConnections, "Sets the maximum number of simultaneous connections for the server listener") //nolint:lll
 	cmd.Flags().Bool(srvflags.JSONRPCEnableIndexer, false, "Enable the custom tx indexer for json-rpc")
 	cmd.Flags().Bool(srvflags.JSONRPCAllowIndexerGap, true, "Allow block gap for the custom tx indexer for json-rpc")
+	cmd.Flags().Bool(srvflags.JSONRPCRestrictUserInput, false, "Restrict some user input to the JSON-RPC debug apis, must be set to true if serving debug namespace to the public") //nolint:lll
 	cmd.Flags().Bool(srvflags.JSONRPCEnableMetrics, false, "Define if EVM rpc metrics server should be enabled")
 
 	cmd.Flags().String(srvflags.EVMTracer, config.DefaultEVMTracer, "the EVM tracer type to collect execution traces from the EVM transaction execution (json|struct|access_list|markdown)") //nolint:lll