Summary
Three medium-severity security findings related to information exposure and configuration risks:
1. Internal Asana project URLs leaked in committed scripts
Files:
subnet-cli/subnet-cli-add-subnet-validator-mainnet.sh (line 2)subnet-cli/subnet-cli-add-subnet-validator-testnet.sh (line 2)README.md (line 345)
Direct Asana project URLs (https://app.asana.com/0/1202305127727547/1202919355642524/f) are committed in the public repository. The README labels this as "(internal task)", confirming these should not be publicly visible.
Fix: Replace Asana URLs with generic references like "See internal task tracker".
2. README recommends --http-allowed-hosts="*" without security documentation
File: README.md (lines 289-298, 911-913, 926-928)
The README recommends running avalanchego with --http-host=0.0.0.0 and --http-allowed-hosts="*" in three places. The wildcard disables DNS rebinding protection built into avalanchego. Combined with debug-tracer and internal-tx-pool APIs, this makes sensitive APIs accessible from any host.
Fix: Update README to recommend --http-host=127.0.0.1 for direct access, with nginx reverse proxy for external access. If --http-host=0.0.0.0 is required, set --http-allowed-hosts to specific RPC domain names.
3. Root genesis files share testnet chain ID 10508, risking EIP-155 replay attacks
Files:
genesis/genesis.json (line 3: "chainId": 10508)genesis/genesis-nativecoin-feemgr.json (line 3: "chainId": 10508)genesis/genesis-nativecoin-feemgr-feerecv.json (line 3: "chainId": 10508)chains/testnet/genesis.json (line 3: "chainId": 10508)
All root genesis files use chain ID 10508 (identical to testnet). If used to deploy a new environment, transactions signed on testnet could be replayed on that chain and vice versa.
Fix: Assign unique chain IDs to root genesis files, or remove the genesis/ directory and consolidate under chains/{environment}/.
Impact
- Asana URL exposure: organizational structure leakage, potential social engineering
- Wildcard hosts: DNS rebinding attacks against node APIs
- Chain ID reuse: cross-chain transaction replay attacks
Generated by Health Monitor with Omni
Summary
Three medium-severity security findings related to information exposure and configuration risks:
1. Internal Asana project URLs leaked in committed scripts
Files:
subnet-cli/subnet-cli-add-subnet-validator-mainnet.sh(line 2)subnet-cli/subnet-cli-add-subnet-validator-testnet.sh(line 2)README.md(line 345)Direct Asana project URLs (
https://app.asana.com/0/1202305127727547/1202919355642524/f) are committed in the public repository. The README labels this as "(internal task)", confirming these should not be publicly visible.Fix: Replace Asana URLs with generic references like "See internal task tracker".
2. README recommends
--http-allowed-hosts="*"without security documentationFile:
README.md(lines 289-298, 911-913, 926-928)The README recommends running avalanchego with
--http-host=0.0.0.0and--http-allowed-hosts="*"in three places. The wildcard disables DNS rebinding protection built into avalanchego. Combined withdebug-tracerandinternal-tx-poolAPIs, this makes sensitive APIs accessible from any host.Fix: Update README to recommend
--http-host=127.0.0.1for direct access, with nginx reverse proxy for external access. If--http-host=0.0.0.0is required, set--http-allowed-hoststo specific RPC domain names.3. Root genesis files share testnet chain ID 10508, risking EIP-155 replay attacks
Files:
genesis/genesis.json(line 3:"chainId": 10508)genesis/genesis-nativecoin-feemgr.json(line 3:"chainId": 10508)genesis/genesis-nativecoin-feemgr-feerecv.json(line 3:"chainId": 10508)chains/testnet/genesis.json(line 3:"chainId": 10508)All root genesis files use chain ID 10508 (identical to testnet). If used to deploy a new environment, transactions signed on testnet could be replayed on that chain and vice versa.
Fix: Assign unique chain IDs to root genesis files, or remove the
genesis/directory and consolidate underchains/{environment}/.Impact
Generated by Health Monitor with Omni