Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

wtclientrpc: prevent watchtower connections to local addresses #9230

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

wtclientrpc: prevent watchtower connections to local addresses #9230

wants to merge 1 commit into from

Conversation

anibilthare
Copy link
Contributor

Change Description

Fixes 5522

Adds validation to prevent watchtower client connections to local addresses by:

  • Implementing IsLocalAddress() to detect localhost/local network addresses
  • Adding check in AddTower RPC to reject local tower connections
  • Including unit tests for address validation

This helps prevent security issues from misconfigured watchtower setups that accidentally expose local addresses.

Steps to Test

Steps for reviewers to follow to test the change.
image

@anibilthare
wtclientrpc: prevent watchtower connections to local addresses
fa75071 
Adds validation to prevent watchtower client connections to local addresses by:
- Implementing IsLocalAddress() to detect localhost/local network addresses
- Adding check in AddTower RPC to reject local tower connections
- Including comprehensive unit tests for address validation

This helps prevent security issues from misconfigured watchtower setups that
accidentally expose local addresses.
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Oct 29, 2024

Important

Review skipped

Auto reviews are limited to specific labels.

🏷️ Labels to auto review (1)
  • llm-review

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Generate unit testing code for this file.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai generate unit testing code for this file.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and generate unit testing code.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@anibilthare
Copy link
Contributor Author

@ellemouton Please review.

@ellemouton
Copy link
Collaborator

@anibilthare - I think the issue was more about connecting to your own watchtower on the same LND node. ie, connecting the wtclient to the watchtower server on the same LND node

@anibilthare
Copy link
Contributor Author

anibilthare commented Oct 29, 2024
edited
Loading

Thanks for the quick response @ellemouton !!

I chose to check for all local addresses (rather than just same-node) for these reasons:

  1. Security: Running multiple LND nodes on the same machine means they share the same failure domain - if the machine is compromised, all nodes including their watchtowers are compromised
  2. Redundancy: The purpose of watchtowers is to provide backup/monitoring from an independent system. Having the watchtower on the same physical machine defeats this purpose since any hardware/system failure would affect both the node and its watchtower
  3. Practical Implementation: Detecting "same LND node" would require comparing node identities, while checking local addresses provides a robust way to prevent all potentially problematic local configurations
  4. Future-proofing: This approach also prevents users from accidentally creating other insecure local watchtower setups as they experiment with different configurations

Would you prefer we narrow the scope to only prevent same-node connections? I'm open to adjusting the approach if you think the current implementation is too broad.

@anibilthare
Copy link
Contributor Author

@ellemouton Any feedback ?

@ellemouton
Copy link
Collaborator

ellemouton commented Nov 5, 2024
edited
Loading

@anibilthare - my concern is that this makes testing hard/impossible. We could just log a warning instead? Your points are all valid but i think the user should have the flexibility to run things how they want to & they themselves should be aware of the risks of certain run configurations

imo, the original issue isnt really an issue anyways... maybe others disagree.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

watchtowers: warn or disallow users from connecting the the wt server running on the same node as the wtclient
2 participants
@anibilthare @ellemouton