-
Notifications
You must be signed in to change notification settings - Fork 244
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat: Block cheat codes in anvil (#8277)
Adds a second api to the mainnet-fork, located at `public-PUBLIC_API_KEY`, in which all cheat codes are blocked. We define a cheat code as a method in the evm, hardhat, or anvil namespaces. We use njs for parsing the JSON RPC request body and testing the method namespace. The PUBLIC_API_KEY is only set for provernet, for other networks, we load the same API_KEY secret as always. This PR also enables logging for anvil, including a logrotate config to ensure we don't fill up the disk just with logs.
- Loading branch information
1 parent
2cfe7cd
commit 4a82f53
Showing
12 changed files
with
120 additions
and
36 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,9 @@ | ||
/var/log/anvil/*.log { | ||
daily | ||
missingok | ||
rotate 14 | ||
size 50M | ||
compress | ||
notifempty | ||
copytruncate | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
load_module modules/ngx_http_js_module.so; | ||
|
||
events { | ||
worker_connections 768; | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
// Authorizes a request based on the method of the JSON-RPC request body, blocking all cheat codes. | ||
// See https://github.com/nginx/njs-examples?tab=readme-ov-file#authorizing-requests-based-on-request-body-content-http-authorization-request-body | ||
function authorize(r) { | ||
try { | ||
if (r.requestText) { | ||
const body = JSON.parse(r.requestText); | ||
if (body && body.method) { | ||
const method = body.method.replace(/\s+/g).toLowerCase(); | ||
if ( | ||
method.startsWith("evm_") || | ||
method.startsWith("hardhat_") || | ||
method.startsWith("anvil_") | ||
) { | ||
const error = "Restricted method " + method; | ||
r.error(error); | ||
r.return(401, JSON.stringify({ error })); | ||
return; | ||
} | ||
} | ||
} | ||
r.internalRedirect("@anvil"); | ||
} catch (e) { | ||
r.error("JSON.parse exception: " + e); | ||
r.return(400, JSON.stringify({ error: "Error parsing request" })); | ||
} | ||
} | ||
|
||
export default { authorize }; |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1 @@ | ||
3 | ||
4 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
#!/bin/sh | ||
set -eu | ||
|
||
# See https://nginx.org/en/linux_packages.html#Ubuntu | ||
echo 'debconf debconf/frontend select Noninteractive' | debconf-set-selections | ||
|
||
apt-get update && apt install -y curl gnupg2 ca-certificates lsb-release ubuntu-keyring | ||
|
||
curl -sS https://nginx.org/keys/nginx_signing.key | gpg --dearmor \ | ||
| tee /usr/share/keyrings/nginx-archive-keyring.gpg >/dev/null | ||
|
||
echo "deb [signed-by=/usr/share/keyrings/nginx-archive-keyring.gpg] \ | ||
http://nginx.org/packages/ubuntu `lsb_release -cs` nginx" \ | ||
| tee /etc/apt/sources.list.d/nginx.list | ||
|
||
echo "Package: *\nPin: origin nginx.org\nPin: release o=nginx\nPin-Priority: 900\n" \ | ||
| tee /etc/apt/preferences.d/99nginx | ||
|
||
apt-get update && apt install -y git curl nginx nginx-module-njs |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters