Prevent re-execution of sensitive commands from console history #909

pull waketraindev wants to merge 1 commits into bitcoin-core:master from waketraindev:2025-11-gui-comment-sensitive-commands changing 2 files +59 −10
  1. waketraindev commented at 1:26 pm on November 6, 2025: contributor

    Sensitive RPC commands such as walletpassphrase or createwallet have their arguments redacted when stored in the console history. Even though their parameters are hidden, these commands could still be recalled and executed again, which might lead to unintended or harmful actions.

    This change extends the existing blocking filter that prevents re-execution of commands considered sensitive or risky when recalled from history. Such entries are prefixed with a leading character (!), marking them as non-executable. When the user attempts to run them again from history, the console blocks the action and displays an informational message. Commands entered manually remain unaffected.

    In addition to wallet and key-related RPCs, this filter now also covers transaction-related commands such as send, sendall, sendmany, and sendtoaddress, which may cause unwanted effects if repeated from history.

    Test coverage has been expanded to verify redaction and blocking behavior, ensuring that sensitive commands are correctly identified and prefixed. The console help text has been updated to describe this functionality.

  2. DrahtBot commented at 1:26 pm on November 6, 2025: contributor

    The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

    Reviews

    See the guideline for information on the review process.

    Type Reviewers
    Concept NACK hebasto

    If your review is incorrectly listed, please react with 👎 to this comment and the bot will ignore it on the next update.

    Conflicts

    Reviewers, this pull request conflicts with the following ones:

    • #882 (Add console commands for clearing output and history by waketraindev)

    If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

  3. waketraindev renamed this:
    qt: Comment out sensitive commands in history to prevent re-execution
    qt: Comment out sensitive console commands in history to prevent re-execution
    on Nov 6, 2025
  4. waketraindev renamed this:
    qt: Comment out sensitive console commands in history to prevent re-execution
    Comment out sensitive console commands in history to prevent re-execution
    on Nov 6, 2025
  5. DrahtBot added the label CI failed on Nov 6, 2025
  6. DrahtBot commented at 4:32 pm on November 6, 2025: contributor

    🚧 At least one of the CI tasks failed. Task Windows native, VS 2022: https://github.com/bitcoin-core/gui/actions/runs/19137200809/job/54692201187 LLM reason (✨ experimental): CTest failed because the test_bitcoin-qt test failed (exit code 8).

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

  7. waketraindev marked this as a draft on Nov 6, 2025
  8. waketraindev force-pushed on Nov 6, 2025
  9. waketraindev marked this as ready for review on Nov 6, 2025
  10. DrahtBot removed the label CI failed on Nov 6, 2025
  11. in src/qt/rpcconsole.cpp:1111 in a0422e52a9 
    1103@@ -1094,6 +1104,12 @@ void RPCConsole::startExecutor()
1104         m_is_executing = false;
1105     });
1106 
1107+    connect(m_executor, &RPCExecutor::noop, this, [this]() {
1108+        ui->messagesWidget->undo();
1109+        scrollToEnd();
1110+        m_is_executing = false;
1111+    });
    luke-jr commented at 4:41 pm on November 7, 2025:
    Why does this need a signal/slot?
  12. in src/qt/rpcconsole.cpp:416 in a0422e52a9 
    412+                "   example:    getblock(getblockhash(0),1)[tx][0]\n\n"
413+
414+                "Lines starting with '#' are treated as comments and are not executed.\n"
415+                "   example:    # Hello world\n\n")));
416+            return;
417+        } else if (executableCommand.starts_with("#")) {
    luke-jr commented at 4:43 pm on November 7, 2025:
    Should probably check this before parsing (top of RPCConsole::on_lineEdit_returnPressed)
    waketraindev commented at 2:21 am on November 8, 2025:
    You’re right, a separate signal/slot wasn’t necessary here. I revisited the implementation, removed both the signal and slot, and consolidated the logic directly into RPCConsole::on_lineEdit_returnPressed, as you suggested, cleaning everything up. Thanks for taking a look at the PR!
  13. luke-jr changes_requested
  14. waketraindev force-pushed on Nov 8, 2025
  15. waketraindev renamed this:
    Comment out sensitive console commands in history to prevent re-execution
    Prevent re-execution of sensitive commands from console history
    on Nov 8, 2025
  16. waketraindev commented at 2:23 am on November 8, 2025: contributor
    • Blocking character was changed from ‘#’ to ‘!’ in order to reserve ‘#’ for printing comments such as like bash
    • Removed noop slot and signal
    • Added alert window when a command starting with ! is entered
    • Commands starting with ! don’t execute, don’t print, and don’t go to history
    • Updated PR title and description to reflect the changes
  17. waketraindev force-pushed on Nov 8, 2025
  18. DrahtBot added the label CI failed on Nov 8, 2025
  19. DrahtBot commented at 2:48 am on November 8, 2025: contributor

    🚧 At least one of the CI tasks failed. Task tidy: https://github.com/bitcoin-core/gui/actions/runs/19186424441/job/54853702939 LLM reason (✨ experimental): Compilation failed due to template/type-mismatch errors in test_bitcoin-qt leading to build failure.

    Try to run the tests locally, according to the documentation. However, a CI failure may still happen due to a number of reasons, for example:

    • Possibly due to a silent merge conflict (the changes in this pull request being incompatible with the current code in the target branch). If so, make sure to rebase on the latest commit of the target branch.

    • A sanitizer issue, which can only be found by compiling with the sanitizer and running the affected test.

    • An intermittent issue.

    Leave a comment here, if you need help tracking down a confusing failure.

  20. DrahtBot removed the label CI failed on Nov 8, 2025
  21. waketraindev marked this as a draft on Nov 8, 2025
  22. waketraindev force-pushed on Nov 8, 2025
  23. waketraindev marked this as ready for review on Nov 8, 2025
  24. waketraindev marked this as a draft on Nov 10, 2025
  25. waketraindev force-pushed on Nov 10, 2025
  26. waketraindev commented at 7:53 pm on November 10, 2025: contributor

    Extended the blocking filter to include transaction-related RPCs send, sendall, sendmany and sendtoaddress as these can also cause unintended effects.

    Test covereage added for them

  27. waketraindev force-pushed on Nov 10, 2025
  28. waketraindev force-pushed on Nov 11, 2025
  29. waketraindev marked this as ready for review on Nov 11, 2025
  30. hebasto added the label Needs rebase on Nov 18, 2025
  31. hebasto commented at 11:38 pm on November 18, 2025: member
    Please rebase.
  32. qt: prevent re-execution of sensitive commands from console history 9cadafcac3
  33. waketraindev force-pushed on Nov 18, 2025
  34. waketraindev commented at 11:47 pm on November 18, 2025: contributor

    Please rebase.

    Rebased on top of master

  35. DrahtBot removed the label Needs rebase on Nov 19, 2025
  36. DrahtBot added the label CI failed on Nov 19, 2025
  37. waketraindev commented at 1:58 pm on November 20, 2025: contributor

    Screenshots to support the PR:

  38. hebasto commented at 10:02 am on November 21, 2025: member

    Sensitive RPC commands such as walletpassphrase or createwallet have their arguments redacted when stored in the console history. Even though their parameters are hidden, these commands could still be recalled and executed again, which might lead to unintended or harmful actions.

    If running the same RPC command twice “might lead to unintended or harmful actions”, then the issue should be addressed in that command’s implementation, as it isn’t specific to the GUI console.

    Concept NACK.

  39. waketraindev closed this on Nov 21, 2025
  40. waketraindev deleted the branch on Nov 21, 2025
  41. waketraindev commented at 10:28 am on November 21, 2025: contributor
    Closed


waketraindev DrahtBot luke-jr hebasto

Labels
CI failed

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/gui. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2025-11-27 22:20 UTC
This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me