Validate user input and keep path in a separate argument for importwallet, createwallet and dumpwallet #20128

issue ghost opened this issue on October 12, 2020
  1. ghost commented at 7:19 AM on October 12, 2020: none

    Is your feature request related to a problem? Please describe.

    Wallets with weird names possible which can be exploited in vulnerable web applications that use Bitcoin Core and allow the users to create and import/export wallet

    ../testwallet for Linux ..\testwallet for Windows

    Tried on Bitcoin Core v 0.20.0

    #20080 (comment)

    Describe the solution you'd like

    • Keep two arguments: wallet_name and wallet_path for createwallet filename and filepath for dumpwallet importwallet

    • Validate user input. Name should not contain special characters. Path should be optional and if not specified use a default value.

    Describe alternatives you've considered Web developers should create secure web apps that use Bitcoin Core.

    Additional context

    image

    I understand its not a vulnerability in Bitcoin Core and only affects vulnerable web apps that use Bitcoin Core. However we can at least consider it a bug that may affect something in future or other projects that use Bitcoin Core. Basic checks for user input can improve the security. In 2017 I had a website in which someone had reported a vulnerability that could be used to change price of flight tickets and book with almost zero bitcoin. It was an issue with the website and we had to fix it although nobody could exploit it because the third party APIs that we were using to book the fight tickets were validating all the things. So a ticket couldn't be processed after tampering and changing the price by attacker. Similarly, if any web developer makes a mistake and using Bitcoin Core for the web app would still be unaffected if Bitcoin Core itself doesn't allow such things for wallet names.

    There have been lot of directory traversal related vulnerabilities, recently one was reported in Facebook android app:

    https://portswigger.net/daily-swig/vulnerability-in-facebook-android-app-nets-10k-bug-bounty

  2. unknown added the label Feature on Oct 12, 2020
  3. MarcoFalke commented at 7:30 AM on October 12, 2020: member

    I think it has previously been suggested to only allow absolute paths

  4. ghost commented at 11:46 PM on November 13, 2020: none 
        std::__cxx11::regex invalid_chars("(/|\\.)(.*)");

    if (regex_match(request.params[0].get_str(), invalid_chars)) {
        throw JSONRPCError(RPC_WALLET_ERROR, "Invalid characters in wallet name");
    }

    How about this? And can someone help me understand what all files need to be changed for this if statement to work?

    rpcwallet.cpp and wallet.cpp ?

  5. promag commented at 10:46 PM on November 15, 2020: member

    Not sure what needs to be validated, if it's a valid file path then it should be fine.

  6. ghost commented at 11:45 PM on November 15, 2020: none

    Not sure what needs to be validated, if it's a valid file path then it should be fine.

    I think we can just validate if the wallet name string has any characters in the beginning that can be used to do more than just creating a wallet in an expected directory. I am thinking to include few more characters in it like % mentioned here: https://owasp.org/www-community/attacks/Path_Traversal

    image

    Trying to stop the user to do anything in the blue area on left when he uses the web application.

    I have never tried to fix things in past, only break lol so not really sure if this thing may affect web apps using bitcoin core but its always good to restrict the user by validating inputs. Other thing which I understood after reading everything is that users should not have privileges to access other directories. This is something we can't control so just basic checks in place. If validating the wallet name string for 3-4 special chars in the beginning breaks anything we can ignore this issue and PR. I will do more research this week and add everything in the PR with tests.

  7. promag commented at 12:11 AM on November 16, 2020: member

    when he uses the web application

    Clearly you could validate user input on the web app. You could even assign a "safe" wallet name for the desired wallet name.

  8. ghost commented at 12:37 AM on November 16, 2020: none

    Sure. That's why I mentioned 4 things in the issue description earlier:

    1. Describe alternatives you've considered Web developers should create secure web apps that use Bitcoin Core.

    2. can be exploited in vulnerable web applications that use Bitcoin Core

    3. It was an issue with the website and we had to fix it although nobody could exploit it because the third party APIs that we were using to book the fight tickets were validating all the things. So a ticket couldn't be processed after tampering and changing the price by attacker. Similarly, if any web developer makes a mistake and using Bitcoin Core for the web app would still be unaffected if Bitcoin Core itself doesn't allow such things for wallet names.

    4. not a vulnerability in Bitcoin Core and only affects vulnerable web apps that use Bitcoin Core

  9. ryanofsky commented at 11:47 AM on November 16, 2020: member

    I can't figure out what the issue is here. The problem is with a web app allows users to specify bitcoin wallet names? Like the web app has some code like:

    if (wallet_name == "big wallet") {
   throw error("Can't spend from big wallet!")
}

    but the user can get around this by spending from "./big wallet" instead of "big wallet"?

  10. ghost commented at 10:29 PM on December 20, 2020: none

    I can't figure out what the issue is here. @ryanofsky

    image

    Alice is trying to test few websites and apps that use bitcoin core. Red boxes on right represent vulnerable apps and Blue boxes are secure. Grey box is bitcoin core. We are trying to prevent Alice to exploit any of those small boxes (bitcoin projects using bitcoin core) on right by making bitcoin core more secure and not depend on devs involved in different bitcoin projects.

  11. sipa commented at 3:43 AM on December 21, 2020: member

    But what is the vulnerability you're trying to protect against?

  12. ghost commented at 10:21 AM on December 21, 2020: none

    Path/Directory Traversal with the help of createwallet's wallet_name argument

    Example: https://medium.com/tenable-techblog/android-mx-player-path-traversal-to-code-execution-9134b623eb34

  13. laanwj closed this on Jan 9, 2021
  14. sidhujag referenced this in commit 35842bbc32 on Jan 9, 2021
  15. PastaPastaPasta referenced this in commit 01188696b4 on Jun 27, 2021
  16. PastaPastaPasta referenced this in commit 2704e4185d on Jun 28, 2021
  17. PastaPastaPasta referenced this in commit c6864e2502 on Jun 29, 2021
  18. PastaPastaPasta referenced this in commit 88c5b5f7bd on Jul 1, 2021
  19. PastaPastaPasta referenced this in commit 0f62ac0abd on Jul 1, 2021
  20. PastaPastaPasta referenced this in commit a6643f4627 on Sep 17, 2021
  21. PastaPastaPasta referenced this in commit 66d6e52d13 on Sep 19, 2021
  22. thelazier referenced this in commit 108022ba62 on Sep 25, 2021
  23. DrahtBot locked this on Aug 16, 2022
Contributors
ghostMarcoFalkepromagryanofskysipa
Labels
Feature
Linked (view graph)
#20080 Strip any trailing `/` in -datadir and -blocksdir paths#20393 error if invalid chars in wallet name#20741 doc: Update 'Secure string handling'#21510 Special characters in `wallet_name`
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin/bitcoin. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-04-13 15:14 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me