fix(security): enforce HTTPS for rpcUrl in validation config schema#172
Open
memosr wants to merge 1 commit into
Open
fix(security): enforce HTTPS for rpcUrl in validation config schema#172memosr wants to merge 1 commit into
memosr wants to merge 1 commit into
Conversation
The README at line 169 documents rpcUrl as an "HTTPS RPC endpoint", but the Zod schema at src/lib/config-schemas.ts:78 used z.string().url() which accepts http://, ws://, and wss:// without complaint. For a governance signing tool that simulates state diffs over the provided RPC, an HTTP endpoint allows a network-positioned attacker to MITM the simulation response. Signers would see and approve a hash derived from attacker-supplied state, while the actual chain state remains untouched until the malicious transaction lands. Added a .refine() check that enforces the https:// scheme. The error message echoes the offending URL so operators get immediate, actionable feedback rather than a generic "invalid config" failure. The existing z.string().url() check is preserved so malformed URLs are still rejected with the standard Zod error.
Collaborator
🟡 Heimdall Review Status
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The README documents
rpcUrlas an HTTPS endpoint, but the schema accepts any URL scheme. For a tool that signs governance transactions, this is a real attack surface — added.refine()to enforcehttps://.The drift
README.md:169 — rpcUrl is documented as:
src/lib/config-schemas.ts:78 — actual schema:
z.string().url()acceptshttp://,ws://,wss://,file://— anything that parses as a URL. The documentation says one thing, the enforced contract says another.Why this matters for a signing tool
The signing flow simulates a transaction over the configured RPC to display the resulting state diff to the signer. The signer reviews that diff and signs a hash derived from it.
An attacker positioned on the network path to an HTTP RPC (corporate proxy, untrusted Wi-Fi, compromised ISP, etc.) can:
eth_call/ state simulation responseThe simulation is the signer's only window into what they're approving. If that window is HTTP, the signer is trusting the network.
HTTPS doesn't eliminate this entirely (the RPC provider itself could be compromised), but it closes the MITM vector that's trivially exploitable on hostile networks.
The fix
z.string().url()is preserved — still rejects malformed URLs.refine()adds the HTTPS check on topVerification
src/lib/config-schemas.ts