Security: Issue: "[websockets]apis" settings are ignored i.e. "parity_accounts" is not getting disabled i.e. it is possible to invoke "parity_newAccountFromPhrase"!

[becke-ch-s0-v1]

Before filing a new issue, please provide the following information.

• Parity Ethereum version: 1.11.8
• Operating system: Linux - Ubuntu 18.04.1 LTS
• Installation: Docker - parity/parity:v1.11.8
• Fully synchronized: yes
• Network: private PoA network - "networkID" : "0x777"
• Restarted: yes

Your issue description goes here below. Try to include actual vs. expected behavior and steps to reproduce the issue.
My node configuration:
/data/becke-ch--parity-node--s0-v1/configuration/node-config.toml
Has the following value:

[network]
bootnodes = ["enode://8aa082af49915716b275cc9ab16e1b2d57a67ab8182490fafb9b0b4b4f9f87eee0731e70f5c42f1f1da3e07893d7ed1f43f5f26d9cdec9d280e49111071195cd@172.17.0.2:30303"]
[rpc]
apis = ["web3", "eth", "pubsub", "net", "shh", "shh_pubsub"]
[websockets]
apis = ["web3", "eth", "pubsub", "net", "shh", "shh_pubsub"]

And when I start parity as follows:
docker run -ti -v /data/becke-ch--parity-node--s0-v1/:/data/becke-ch--parity-node--s0-v1/ parity/parity:v1.11.8 --chain /data/becke-ch--parity-node--s0-v1/configuration/chain-config.json --config /data/becke-ch--parity-node--s0-v1/configuration/node-config.toml --base-path /data/becke-ch--parity-node--s0-v1/data/ --jsonrpc-interface 172.17.0.2 --ws-interface 172.17.0.2
I expect that the API parity_accounts is disabled i.e. it should not be possible to invoke parity_newAccountFromPhrase!
This is actually true for "rpc" i.e. when I call the following:
curl --data '{"method":"parity_newAccountFromPhrase","params":["stylus outing overhand dime radial seducing harmless uselessly evasive tastiness eradicate imperfect","hunter2"],"id":1,"jsonrpc":"2.0"}' -H "Content-Type: application/json" -X POST 172.17.0.2:8545
I'm getting as expected the error:
{"jsonrpc":"2.0","error":{"code":-32601,"message":"Method not found"},"id":1}
BUT when I start parity-ui as follows:
/tool/parity-ui-0.3.4/parity-ui --ws-interface=172.17.0.2 --ws-port=8546 &
It is for me no problem to create new accounts even this API (parity_accounts) should be blocked!
Therefore I've used wireshark to analyze the websocket traffic and indeed in the background the methods "parity_phraseToAddress", "parity_newAccountFromPhrase" and "parity_setAccountName" are invoked without any issues!

Frame 829: 240 bytes on wire (1920 bits), 240 bytes captured (1920 bits) on interface 0
{"id":317,"jsonrpc":"2.0","method":"parity_phraseToAddress","params":["perm luxurious saint dismantle flanked harmonics speed litmus eggnog unwound droop conjoined"]}

Frame 830: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits) on interface 0
{"jsonrpc":"2.0","result":"0x00361ea865dcc740a0d9e3ed2543c340ebc583d8","id":317}

Frame 832: 256 bytes on wire (2048 bits), 256 bytes captured (2048 bits) on interface 0
{"id":318,"jsonrpc":"2.0","method":"parity_newAccountFromPhrase","params":["perm luxurious saint dismantle flanked harmonics speed litmus eggnog unwound droop conjoined","eo..."]}

Frame 834: 148 bytes on wire (1184 bits), 148 bytes captured (1184 bits) on interface 0
{"jsonrpc":"2.0","result":"0x00361ea865dcc740a0d9e3ed2543c340ebc583d8","id":318}

Frame 835: 195 bytes on wire (1560 bits), 195 bytes captured (1560 bits) on interface 0
{"id":319,"jsonrpc":"2.0","method":"parity_setAccountName","params":["0x00361ea865dcc740a0d9e3ed2543c340ebc583d8","test8"]}

Frame 837: 108 bytes on wire (864 bits), 108 bytes captured (864 bits) on interface 0
{"jsonrpc":"2.0","result":true,"id":319}

Best regards
Raoul

[Tbaut]

Parity UI is authenticated with a token and you must have clicked some authorization at least once when you start it up to let the UI access the node and give separate rights.

You should not be able to do a WS call this method without authentication, and from what I read, this holds true.

[becke-ch-s0-v1]

Sorry but I don't agree. When I disable an API e.g. "parity_accounts" then it should be disabled no matter what I do. And no I did not click anything. I think this is just a serious security bug. And a backdoor for accessing a node. I will try whether I can access other nodes out there.

[tomusdrw]

Hi @becke-ch-s0-v1!
On the WebSocket interface we expose two independent sets of APIs:

1. One is for dapps / external applications - this is the one you control via --ws-apis, we call it "insecure" context.
2. Second one is "secure" context, where during connection you need to provide a signer token - it exposes all available APIs. The signer token has to be generated in command line (parity signer new-token) and then submitted by a dapp. Since websites / external clients don't have access to the token, it's not possible for them to connect with the token, unless you type the token in the dapp.

Parity UI is using the secure connection, so it can always access all the methods.

[becke-ch-s0-v1]

Hi @tomusdrw ,
Thank you for the explanation but still I did not run the command "parity signer new-token" and I did not provide any token to the ParityUI so how can the ParityUI have such a token to access my Parity node?

[tomusdrw]

Since ParityUI is now a regular application running on the privileges of your user it can run the command automatically. You can find the appropriate line here: https://github.com/parity-js/shell/blob/68fda6c3d8b5321292d8eebb73cdf63f9c4a2f5a/electron/operations/signerNewToken.js#L24

[becke-ch-s0-v1]

Hi @tomusdrw ,
I tried it now several times i.e. deleted all Parity UI data:

rm -rf .config/parity-ui
rm -rf .local/share/io.parity.ethereum

And deleted all node data: rm -rf /data/becke-ch--parity-node--s0-v1/data/* (I did here a PoA chain setup according to the parity tutorial) and the ParityUI could connect to my node without requiring/asking for a token (I just needed to accept all disclaimers at the first start).
Now I tried to only delete all Parity UI data:

rm -rf .config/parity-ui
rm -rf .local/share/io.parity.ethereum

And really this time I was required to generate a token first (before I could proceed to the disclaimers).
So in the end the behavior seems not really deterministic and not really secure

[becke-ch-s0-v1]

Hi @tomusdrw ,
Actually the behavior I posted above holds true for any chain I've started. It looks like the first ParityUI that is connecting to this node gets a signer toke for free :-) i.e. I logged in with another second user and started a ParityUI and was then prompted for a signer token.
PS: Regarding " it can run the command automatically" is this not possible because they are on different machines and the following error is displayed "Can't run parity signer new-token command."

[tomusdrw]

@becke-ch-s0-v1 indeed the API allows a connection with special "initial" token to prevent a hassle in case you set up your node for the first time. Since the UI is no longer officialy supported, I made a PR to disable that behaviour in #9545