Skip to content

Use jsonrpc2.Request digest method#19845

Merged
DeividasK merged 10 commits intodevelopfrom
PRIV-217-audit-cl-79-08-request-digest-collisions
Oct 14, 2025
Merged

Use jsonrpc2.Request digest method#19845
DeividasK merged 10 commits intodevelopfrom
PRIV-217-audit-cl-79-08-request-digest-collisions

Conversation

@DeividasK
Copy link
Copy Markdown
Contributor

@DeividasK DeividasK commented Oct 10, 2025
edited
Loading

shileiwill
shileiwill previously approved these changes Oct 10, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@shileiwill shileiwill left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Comment thread core/capabilities/vault/request_authorizer.go
defer r.clearExpiredAuthorizedRequests()
r.lggr.Infow("AuthorizeRequest", "method", req.Method, "requestID", req.ID)
digest, err := vaulttypes.DigestForRequest(req)
requestDigest, err := req.Digest()
Copy link
Copy Markdown
Contributor

@shileiwill shileiwill Oct 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, this is the core change. we removed our customized DigestForRequest() and use the default Digest() from jsonrpc.

justinkaseman
justinkaseman previously approved these changes Oct 10, 2025
View reviewed changes
@DeividasK
Merge remote-tracking branch 'origin/develop' into PRIV-217-audit-cl-…
713a415 
…79-08-request-digest-collisions

# Conflicts:
#	core/capabilities/vault/request_authorizer.go
#	core/capabilities/vault/request_authorizer_test.go
#	core/services/workflows/syncer/v2/workflow_syncer_v2_test.go
#	system-tests/tests/smoke/cre/v2_vault_don_test.go
@DeividasK
Merge remote-tracking branch 'origin/develop' into PRIV-217-audit-cl-…
8e97891 
…79-08-request-digest-collisions
@DeividasK
Bump chainlink-common
54a3d15
pavel-raykov
pavel-raykov previously approved these changes Oct 13, 2025
View reviewed changes
DeividasK
DeividasK commented Oct 14, 2025
View reviewed changes
Comment thread core/capabilities/vault/request_authorizer_test.go
Params: nil,
}
isAuthorized, _, err := auth.AuthorizeRequest(context.Background(), invalidReq)
require.ErrorContains(t, err, "unauthorized method: invalid-method")
Copy link
Copy Markdown
Contributor Author

@DeividasK DeividasK Oct 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Whether the method is valid is checked in the handler, not the authorizer.

@cl-sonarqube-production
Copy link
Copy Markdown

cl-sonarqube-production Bot commented Oct 14, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
4 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@DeividasK DeividasK closed this Oct 14, 2025
This was referenced Oct 14, 2025
Draft
Draft
This was referenced Oct 23, 2025
Draft
Draft
This was referenced Nov 7, 2025
Open
Draft
This was referenced Nov 16, 2025
Merged
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cedric-cordenier cedric-cordenier cedric-cordenier approved these changes

@pavel-raykov pavel-raykov pavel-raykov approved these changes

@shileiwill shileiwill shileiwill left review comments

@justinkaseman justinkaseman justinkaseman left review comments

@ChrisAmora ChrisAmora Awaiting requested review from ChrisAmora

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@DeividasK @shileiwill @cedric-cordenier @justinkaseman @pavel-raykov