Bug: Main server attest_debug endpoint allows bypass when RC_ADMIN_KEY not set

[508704820]

Bug: attest_debug admin check bypassed when RC_ADMIN_KEY not configured

Severity: MEDIUM

Description

node/rustchain_v2_integrated_v2.2.1_rip200.py has an admin check that can be bypassed:

ADMIN_KEY = os.getenv("RC_ADMIN_KEY")  # Returns None if not set

@app.route('/ops/attest/debug', methods=['POST'])
def attest_debug():
    admin_key = request.headers.get("X-Admin-Key", "") or request.headers.get("X-API-Key", "")
    if not hmac.compare_digest(admin_key, ADMIN_KEY or ""):  # None or "" → ""
        return error

When RC_ADMIN_KEY is not set:

• ADMIN_KEY = None
• ADMIN_KEY or "" = ""
• admin_key (no header sent) = ""
• hmac.compare_digest("", "") = True — authentication bypassed!

Impact

1. Debug endpoint accessible without admin key when env var not set
2. Exposes internal config, MAC hashes, and miner enrollment data
3. Same class as Bug: machine_passport_api admin endpoints open when ADMIN_KEY unset #4878, Bug: Memory API /clear endpoint lacks authentication #4880, Bug: Webhook auth skips signature verification when WEBHOOK_SECRET not configured #4995 — default-allow auth pattern

Fix

Add explicit check for ADMIN_KEY being set:

if not ADMIN_KEY:
    return jsonify({"error": "Admin key not configured"}), 503
if not hmac.compare_digest(admin_key, ADMIN_KEY):
    return jsonify({"error": "Unauthorized"}), 401

Wallet: RTC9d7caca3039130d3b26d41f7343d8f4ef4592360

[BossChaos]

Bounty Claim

I'd like to claim this bug bounty.

Analysis:

• Reviewed the vulnerability description and affected code
• Identified the root cause and attack surface

Planned Fix:

1. Implement proper validation/authentication guard
2. Add secure defaults (fail-closed pattern)
3. Add regression test to prevent recurrence

Wallet: RTC6d1f27d28961279f1034d9561c2403697eb55602

[galpetame]

Implemented in #5100

@galpetame
RTC wallet address: RTCe4fbe4c9085b8b2ed3f1228504de66799025f6ce

Summary:

• /ops/attest/debug now fails closed with 503 when RC_ADMIN_KEY / ADMIN_KEY is not configured.
• This removes the missing-header + missing-config hmac.compare_digest("", "") bypass case.
• Wrong admin keys still receive 401 when an admin key is configured.
• Added a regression for the no-config path.

Validation:

• PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 python -m pytest tests\test_api.py::test_attest_debug_fails_closed_when_admin_key_unconfigured tests\test_api.py::test_api_balances_requires_admin tests\test_api.py::test_pending_list_requires_admin -q -> 3 passed
• python -m py_compile node\rustchain_v2_integrated_v2.2.1_rip200.py tests\test_api.py -> passed
• git diff --check origin/main...HEAD -- node\rustchain_v2_integrated_v2.2.1_rip200.py tests\test_api.py -> passed
• python tools\bcos_spdx_check.py --base-ref origin/main -> BCOS SPDX check: OK