Add --rpc-unsafe flag to protect dangerous admin RPC methods (#845)

heemankv · Mohiiit · web-flow · commit ee2fb78b4cf2 · 2025-11-11T16:56:32.000+05:30
Co-authored-by: mohiiit &lt;mohitdhattarwal.personal@gmail.com&gt;
diff --git a/configs/args/config.json b/configs/args/config.json
@@ -82,6 +82,7 @@
     "rpc_external": false,
     "rpc_admin": false,
     "rpc_admin_external": false,
+    "rpc_unsafe": false,
     "rpc_max_request_size": 15,
     "rpc_max_response_size": 15,
     "rpc_max_subscriptions_per_connection": 1024,
diff --git a/madara/crates/client/rpc/src/lib.rs b/madara/crates/client/rpc/src/lib.rs
@@ -830,6 +830,7 @@ pub struct Starknet {
     storage_proof_config: StorageProofConfig,
     pub(crate) block_prod_handle: Option<mc_block_production::BlockProductionHandle>,
     pub ctx: ServiceContext,
+    pub(crate) rpc_unsafe_enabled: bool,
 }
 
 impl Starknet {
@@ -849,12 +850,17 @@ impl Starknet {
             block_prod_handle,
             ctx,
             pre_v0_9_preconfirmed_as_pending: false,
+            rpc_unsafe_enabled: false,
         }
     }
 
     pub fn set_pre_v0_9_preconfirmed_as_pending(&mut self, value: bool) {
         self.pre_v0_9_preconfirmed_as_pending = value;
     }
+
+    pub fn set_rpc_unsafe_enabled(&mut self, value: bool) {
+        self.rpc_unsafe_enabled = value;
+    }
 }
 
 /// Returns the RpcModule merged with all the supported RPC versions.
diff --git a/madara/crates/client/rpc/src/versions/admin/v0_1_0/methods/write.rs b/madara/crates/client/rpc/src/versions/admin/v0_1_0/methods/write.rs
@@ -11,7 +11,6 @@ use mp_rpc::v0_9_0::{
 };
 use mp_transactions::{L1HandlerTransactionResult, L1HandlerTransactionWithFee};
 use mp_block::header::CustomHeader;
-use mp_utils::service::MadaraServiceId;
 
 
 #[async_trait]
@@ -90,24 +89,24 @@ impl MadaraWriteRpcApiV0_1_0Server for Starknet {
     }
 
     /// Force revert chain to a previous block by hash.
-    /// Only works in full node mode.
+    /// Only available when unsafe RPC methods are enabled.
     async fn revert_to(&self, block_hash: Felt) -> RpcResult<()> {
-        // Only allow revert when in full node mode
-        if self.ctx.service_status(MadaraServiceId::BlockProduction).is_off() {
-            self.backend.revert_to(&block_hash).map_err(StarknetRpcApiError::from)?;
-            // TODO(heemankv, 04-11-25): We should spend time in ruling out the two sources of truth problem for ChainTip
-            // For now, we have to manually fetch Chain Tip from DB and update this in backend
-            let fresh_chain_tip = self.backend.db.get_chain_tip().unwrap();
-            let backend_chain_tip = mc_db::ChainTip::from_storage(fresh_chain_tip);
-            self.backend.chain_tip.send_replace(backend_chain_tip);
-            Ok(())
-        } else {
-            Err(StarknetRpcApiError::ErrUnexpectedError {
-                error: "This method is only available in full node mode".to_string().into()
-            })?
+        // Check if unsafe RPC methods are enabled
+        if !self.rpc_unsafe_enabled {
+            return Err(StarknetRpcApiError::ErrUnexpectedError {
+                error: "This method requires the --rpc-unsafe flag to be enabled".to_string().into()
+            }.into());
         }
+
+        self.backend.revert_to(&block_hash).map_err(StarknetRpcApiError::from)?;
+        let fresh_chain_tip = self.backend.db.get_chain_tip()
+            .context("Failed to get chain tip after revert")
+            .map_err(StarknetRpcApiError::from)?;
+        let backend_chain_tip = mc_db::ChainTip::from_storage(fresh_chain_tip);
+        self.backend.chain_tip.send_replace(backend_chain_tip);
+        Ok(())
     }
-    
+
     async fn add_l1_handler_message(
         &self,
         l1_handler_message: L1HandlerTransactionWithFee,
@@ -122,6 +121,13 @@ impl MadaraWriteRpcApiV0_1_0Server for Starknet {
     }
 
     async fn set_block_header(&self, custom_block_headers: CustomHeader) -> RpcResult<()> {
+        // Check if unsafe RPC methods are enabled
+        if !self.rpc_unsafe_enabled {
+            return Err(StarknetRpcApiError::ErrUnexpectedError {
+                error: "This method requires the --rpc-unsafe flag to be enabled".to_string().into()
+            }.into());
+        }
+
         self.backend.set_custom_header(custom_block_headers);
         Ok(())
     }
diff --git a/madara/node/src/cli/rpc.rs b/madara/node/src/cli/rpc.rs
@@ -91,6 +91,12 @@ pub struct RpcParams {
     #[arg(env = "MADARA_RPC_ADMIN_EXTERNAL", long, default_value_t = false)]
     pub rpc_admin_external: bool,
 
+    /// Enables unsafe admin RPC methods. This includes dangerous methods like
+    /// `revertTo` and `setCustomBlockHeader` that can modify the blockchain state.
+    /// Use with extreme caution. Requires `--rpc-admin` to be enabled.
+    #[arg(env = "MADARA_RPC_UNSAFE", long, default_value_t = false, requires = "rpc_admin")]
+    pub rpc_unsafe: bool,
+
     /// Set the maximum RPC request payload size for both HTTP and WebSockets in mebibytes.
     #[arg(env = "MADARA_RPC_MAX_REQUEST_SIZE", long, default_value_t = RPC_DEFAULT_MAX_REQUEST_SIZE_MIB)]
     pub rpc_max_request_size: u32,
diff --git a/madara/node/src/service/rpc/mod.rs b/madara/node/src/service/rpc/mod.rs
@@ -76,6 +76,7 @@ impl Service for RpcService {
         let block_prod_handle = self.block_prod_handle.clone();
 
         let pre_v0_9_preconfirmed_as_pending = self.config.rpc_pre_v0_9_preconfirmed_as_pending;
+        let rpc_unsafe_enabled = self.config.rpc_unsafe;
 
         runner.service_loop(move |ctx| async move {
             let submit_tx = Arc::new(submit_tx_provider.make(ctx.clone()));
@@ -88,6 +89,7 @@ impl Service for RpcService {
                 ctx.clone(),
             );
             starknet.set_pre_v0_9_preconfirmed_as_pending(pre_v0_9_preconfirmed_as_pending);
+            starknet.set_rpc_unsafe_enabled(rpc_unsafe_enabled);
 
             let metrics = RpcMetrics::register()?;
 

Original file line number	Diff line number	Diff line change
`@@ -830,6 +830,7 @@ pub struct Starknet {`
`830`	`830`	`storage_proof_config: StorageProofConfig,`
`831`	`831`	`pub(crate) block_prod_handle: Option<mc_block_production::BlockProductionHandle>,`
`832`	`832`	`pub ctx: ServiceContext,`
	`833`	`+ pub(crate) rpc_unsafe_enabled: bool,`
`833`	`834`	`}`
`834`	`835`
`835`	`836`	`impl Starknet {`
`@@ -849,12 +850,17 @@ impl Starknet {`
`849`	`850`	`block_prod_handle,`
`850`	`851`	`ctx,`
`851`	`852`	`pre_v0_9_preconfirmed_as_pending: false,`
	`853`	`+ rpc_unsafe_enabled: false,`
`852`	`854`	`}`
`853`	`855`	`}`
`854`	`856`
`855`	`857`	`pub fn set_pre_v0_9_preconfirmed_as_pending(&mut self, value: bool) {`
`856`	`858`	`self.pre_v0_9_preconfirmed_as_pending = value;`
`857`	`859`	`}`
	`860`	`+`
	`861`	`+ pub fn set_rpc_unsafe_enabled(&mut self, value: bool) {`
	`862`	`+ self.rpc_unsafe_enabled = value;`
	`863`	`+ }`
`858`	`864`	`}`
`859`	`865`
`860`	`866`	`/// Returns the RpcModule merged with all the supported RPC versions.`