fix(rpc): enforce minimum response time on scoped read methods#520
Open
Dollyerls wants to merge 1 commit into
Open
fix(rpc): enforce minimum response time on scoped read methods#520Dollyerls wants to merge 1 commit into
Dollyerls wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
fix(rpc): enforce minimum response time on scoped read methods
Was reading through the spec's "Timing Side Channels" section and noticed it
calls for something the server doesn't actually do yet:
These five fetch data before they check whether the caller is allowed to see
it, so how long they take to answer leaks information: "this hash exists but
isn't yours" comes back at a different speed than "this hash doesn't exist." On
a private chain that's a real existence oracle. The other scoped reads
(
eth_getBalance,eth_call,eth_sendRawTransaction) authorize first, so thespec explicitly exempts them — and so does this change.
Turns out the server already measured per-call latency, but only to feed a
metric — it never enforced a floor. So I added the floor where the metric is
taken:
dispatch_request, which is the one spot both the HTTP and the WebSocketpaths funnel through. After the handler runs, if the method is one of the five,
sleep off whatever's left under 100ms. It pads error responses too, since the
error path can return faster than the data path and would otherwise leak the
same way.