Skip to content

feat(security): use files rather than pass by arg#1818

Open
gilescope wants to merge 1 commit into
mainfrom
giles-toolkit-seed-file
Open

feat(security): use files rather than pass by arg#1818
gilescope wants to merge 1 commit into
mainfrom
giles-toolkit-seed-file

Conversation

@gilescope

Copy link
Copy Markdown
Contributor

Overview

Passing secrets by arg isn't the safest way to do things. Midnight toolkit is a testing toolkit but still it's good to provide people with the safest way to do things.

🗹 TODO before merging

  • Ready

📌 Submission Checklist

  • All commits are signed off (git commit -s) for the DCO
  • Changes are backward-compatible (or flagged if breaking)
  • Pull request description explains why the change is needed
  • Self-reviewed the diff
  • I have included a change file, or skipped for this reason:
  • If the changes introduce a new feature, I have bumped the node minor version
  • Update documentation (if relevant)
  • Updated AGENTS.md if build commands, architecture, or workflows changed
  • No new todos introduced

🧪 Testing Evidence

Please describe any additional testing aside from CI:

  • Additional tests are provided (if possible)

🔱 Fork Strategy

  • Node Runtime Update
  • Node Client Update
  • Other:
  • N/A

Links

Signed-off-by: Giles Cope <gilescope@gmail.com>
@gilescope gilescope requested a review from a team as a code owner July 3, 2026 10:36
@datadog-official

Copy link
Copy Markdown

Pipelines

⚠️ Warnings

🚦 1 Pipeline job failed

Changes Check | check-changes   View in Datadog   GitHub Actions

This comment will be updated automatically if new data arrives.
🔗 Commit SHA: e340984 | Docs | Give us feedback!

Comment thread util/toolkit/README.md
[..]Executing generate-intent[..]
[..]Executing maintain command
[..]Executing ../toolkit-js/dist/bin.js with arguments: ["maintain", "contract", "-c", "[CWD]/../toolkit-js/test/contract/contract.config.ts", "--network", "undeployed", "--coin-public", "aa0d72bb77ea46f986a800c66d75c4e428a95bd7e1244f1ed059374e6266eb98", "--input", "[CWD]/test-data/contract/counter/contract_state.mn", "--output", "[CWD]/out/intent.bin", "--signing", "0000000000000000000000000000000000000000000000000000000000000001", "3102ba67572345ef8bc5cd238bff10427b4533e376b4aaed524c2f1ef5eca806", "0000000000000000000000000000000000000000000000000000000000000002"]...
[..]Executing ../toolkit-js/dist/bin.js with arguments: ["maintain", "contract", "-c", "[CWD]/../toolkit-js/test/contract/contract.config.ts", "--network", "undeployed", "--coin-public", "aa0d72bb77ea46f986a800c66d75c4e428a95bd7e1244f1ed059374e6266eb98", "--input", "[CWD]/test-data/contract/counter/contract_state.mn", "--output", "[CWD]/out/intent.bin", "--signing-file", "[..]", "3102ba67572345ef8bc5cd238bff10427b4533e376b4aaed524c2f1ef5eca806", "--new-authority-file", "[..]"]...

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not printing file path in logs is security via obscurity. If adversary has access to the machine with seeds files, then he has access to the files regardless if these files path is printed here or not.

Comment thread node/src/command.rs
"error when reading AURA seed file at {seed_file}. Error: {e}"
))
})?;
let seed = read_seed_file(seed_file, "AURA")?;

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Talking about security: we depend on polkadot-sdk and keystore files. Is this code really indispensable? Supporting reading from two sources will always be at most as secure as the less secure of two ways.

@LGLO LGLO left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are few bits that are smells, but in essence problems existed before.

fields are also `Debug`-redacted (`SecretString`) so `--dry-run` info logs
can't leak them.

PR:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing PR link

`midnight-node-ledger-helpers` so the toolkit can reuse it for its new
`--*-file` secret arguments; the node re-exports it at the old path.

PR:

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing PR link

}
}

/// Hand a secret to toolkit-js via an owner-only temp file instead of argv

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

owner-only is better, but still not great -

Perhaps a better solution is piping via stdin - only the parent and child can see the data that way - but this is a bigger change that can be left to a separate PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants