[audit] Secrets appear in environment variables and command line argu…

…ments (#1201) * accept secret as a file too * run pre-commit * address feedback
pyth-network · Jan 4, 2024 · 009c5cd · 009c5cd
1 parent e1606a4
commit 009c5cd
Show file tree

Hide file tree

Showing 7 changed files with 39 additions and 30 deletions.
diff --git a/fortuna/.gitignore b/fortuna/.gitignore
@@ -1,2 +1,3 @@
 /target
 config.yaml
+*secret*
diff --git a/fortuna/Cargo.lock b/fortuna/Cargo.lock
diff --git a/fortuna/Cargo.toml b/fortuna/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name    = "fortuna"
-version = "3.0.1"
+version = "3.0.2"
 edition = "2021"
 
 [dependencies]

diff --git a/fortuna/src/command/register_provider.rs b/fortuna/src/command/register_provider.rs
@@ -31,13 +31,14 @@ pub async fn register_provider(opts: &RegisterProviderOptions) -> Result<()> {
 
     // Create a new random hash chain.
     let random = rand::random::<[u8; 32]>();
+    let secret = match opts.randomness.load_secret() {
+        Ok(loaded_secret) => loaded_secret,
+        Err(_err) => opts.randomness.secret_file.clone(),
+    };
+
     let commitment_length = opts.randomness.chain_length;
-    let mut chain = PebbleHashChain::from_config(
-        &opts.randomness.secret,
-        &opts.chain_id,
-        &random,
-        commitment_length,
-    )?;
+    let mut chain =
+        PebbleHashChain::from_config(&secret, &opts.chain_id, &random, commitment_length)?;
 
     // Arguments to the contract to register our new provider.
     let fee_in_wei = opts.fee;

diff --git a/fortuna/src/command/run.rs b/fortuna/src/command/run.rs
@@ -47,6 +47,12 @@ pub async fn run(opts: &RunOptions) -> Result<()> {
     struct ApiDoc;
 
     let config = Config::load(&opts.config.config)?;
+    let secret: String;
+    match opts.randomness.load_secret() {
+        Ok(loaded_secret) => secret = loaded_secret,
+        Err(_err) => secret = opts.randomness.secret_file.clone(),
+    }
+
 
     let mut chains = HashMap::new();
     for (chain_id, chain_config) in &config.chains {
@@ -64,7 +70,7 @@ pub async fn run(opts: &RunOptions) -> Result<()> {
             bincode::deserialize::<CommitmentMetadata>(&provider_info.commitment_metadata)?;
 
         let hash_chain = PebbleHashChain::from_config(
-            &opts.randomness.secret,
+            &secret,
             &chain_id,
             &metadata.seed,
             metadata.chain_length,

diff --git a/fortuna/src/config.rs b/fortuna/src/config.rs
@@ -76,10 +76,12 @@ pub struct ConfigOptions {
 #[command(next_help_heading = "Randomness Options")]
 #[group(id = "Randomness")]
 pub struct RandomnessOptions {
-    /// A secret used for generating new hash chains. A 64-char hex string.
+    /// Path to file containing a secret which is a 64-char hex string.
+    /// The secret is used for generating new hash chains
+    /// Or the secret itself. TODO: this will be removed in another PR.
     #[arg(long = "secret")]
     #[arg(env = "FORTUNA_SECRET")]
-    pub secret: String,
+    pub secret_file: String,
 
     /// The length of the hash chain to generate.
     #[arg(long = "chain-length")]
@@ -88,6 +90,12 @@ pub struct RandomnessOptions {
     pub chain_length: u64,
 }
 
+impl RandomnessOptions {
+    pub fn load_secret(&self) -> Result<String> {
+        return Ok((fs::read_to_string(&self.secret_file))?);
+    }
+}
+
 #[derive(Clone, Debug, serde::Serialize, serde::Deserialize)]
 pub struct Config {
     pub chains: HashMap<ChainId, EthereumConfig>,

diff --git a/hermes/Cargo.lock b/hermes/Cargo.lock