Skip to content

Prevent re-execution of sensitive commands from console history #909

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Prevent re-execution of sensitive commands from console history #909

wants to merge 1 commit into from
+62 −7

Conversation

@waketraindev
Copy link
Contributor

@waketraindev waketraindev commented Nov 6, 2025
edited
Loading

Sensitive RPC commands such as walletpassphrase or createwallet
have their arguments redacted when stored in the console history.
Even though their parameters are hidden, these commands could still
be recalled and executed again, which might lead to unintended or
harmful actions.

This change extends the existing blocking filter that prevents
re-execution of commands considered sensitive or risky when recalled
from history. Such entries are prefixed with a leading character (!),
marking them as non-executable. When the user attempts to run them
again from history, the console blocks the action and displays an
informational message. Commands entered manually remain unaffected.

In addition to wallet and key-related RPCs, this filter now also
covers transaction-related commands such as send, sendall,
sendmany, and sendtoaddress, which may cause unwanted effects
if repeated from history.

Test coverage has been expanded to verify redaction and blocking
behavior, ensuring that sensitive commands are correctly identified
and prefixed. The console help text has been updated to describe
this functionality.

@DrahtBot
Copy link
Contributor

DrahtBot commented Nov 6, 2025
edited
Loading

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Reviews

See the guideline for information on the review process.
A summary of reviews will appear here.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #910 (Added test coverage for qt gui#901 console history filter by waketraindev)
  • #882 (Add console commands for clearing output and history by waketraindev)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@waketraindev waketraindev changed the title qt: Comment out sensitive commands in history to prevent re-execution qt: Comment out sensitive console commands in history to prevent re-execution Nov 6, 2025
@waketraindev waketraindev changed the title qt: Comment out sensitive console commands in history to prevent re-execution Comment out sensitive console commands in history to prevent re-execution Nov 6, 2025
@DrahtBot
Copy link
Contributor

DrahtBot commented Nov 6, 2025

🚧 At least one of the CI tasks failed.
Task Windows native, VS 2022: https://github.com/bitcoin-core/gui/actions/runs/19137200809/job/54692201187
LLM reason (✨ experimental): CTest failed because the test_bitcoin-qt test failed (exit code 8).

Hints

Try to run the tests locally, according to the documentation. However, a CI failure may still
happen due to a number of reasons, for example:

  • Possibly due to a silent merge conflict (the changes in this pull request being
    incompatible with the current code in the target branch). If so, make sure to rebase on the latest
    commit of the target branch.

  • A sanitizer issue, which can only be found by compiling with the sanitizer and running the
    affected test.

  • An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

@waketraindev waketraindev marked this pull request as draft November 6, 2025 17:26
@waketraindev waketraindev force-pushed the 2025-11-gui-comment-sensitive-commands branch from 2f59bf6 to a0422e5 Compare November 6, 2025 18:03
@waketraindev waketraindev marked this pull request as ready for review November 6, 2025 18:09
@DrahtBot DrahtBot removed the CI failed label Nov 6, 2025
This was referenced Nov 7, 2025
Open
Open
luke-jr
luke-jr suggested changes Nov 7, 2025
View reviewed changes
src/qt/rpcconsole.cpp Outdated
"Lines starting with '#' are treated as comments and are not executed.\n"
" example: # Hello world\n\n")));
return;
} else if (executableCommand.starts_with("#")) {
Copy link
Member

@luke-jr luke-jr Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should probably check this before parsing (top of RPCConsole::on_lineEdit_returnPressed)

Copy link
Contributor Author

@waketraindev waketraindev Nov 8, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You’re right, a separate signal/slot wasn’t necessary here. I revisited the implementation, removed both the signal and slot, and consolidated the logic directly into RPCConsole::on_lineEdit_returnPressed, as you suggested, cleaning everything up. Thanks for taking a look at the PR!

@waketraindev waketraindev force-pushed the 2025-11-gui-comment-sensitive-commands branch from a0422e5 to a87c8ac Compare November 8, 2025 02:14
@waketraindev waketraindev changed the title Comment out sensitive console commands in history to prevent re-execution Prevent re-execution of sensitive commands from console history Nov 8, 2025
@waketraindev
Copy link
Contributor Author

waketraindev commented Nov 8, 2025
edited
Loading

  • Blocking character was changed from '#' to '!' in order to reserve '#' for printing comments such as like bash
  • Removed noop slot and signal
  • Added alert window when a command starting with ! is entered
  • Commands starting with ! don't execute, don't print, and don't go to history
  • Updated PR title and description to reflect the changes

@waketraindev waketraindev force-pushed the 2025-11-gui-comment-sensitive-commands branch from a87c8ac to 318eacf Compare November 8, 2025 02:47
@DrahtBot
Copy link
Contributor

DrahtBot commented Nov 8, 2025

🚧 At least one of the CI tasks failed.
Task tidy: https://github.com/bitcoin-core/gui/actions/runs/19186424441/job/54853702939
LLM reason (✨ experimental): Compilation failed due to template/type-mismatch errors in test_bitcoin-qt leading to build failure.

Hints

Try to run the tests locally, according to the documentation. However, a CI failure may still
happen due to a number of reasons, for example:

  • Possibly due to a silent merge conflict (the changes in this pull request being
    incompatible with the current code in the target branch). If so, make sure to rebase on the latest
    commit of the target branch.

  • A sanitizer issue, which can only be found by compiling with the sanitizer and running the
    affected test.

  • An intermittent issue.

Leave a comment here, if you need help tracking down a confusing failure.

@DrahtBot DrahtBot removed the CI failed label Nov 8, 2025
@waketraindev waketraindev marked this pull request as draft November 8, 2025 12:54
@waketraindev waketraindev force-pushed the 2025-11-gui-comment-sensitive-commands branch from 318eacf to 48fefa8 Compare November 8, 2025 13:06
@waketraindev waketraindev marked this pull request as ready for review November 8, 2025 16:13
@waketraindev waketraindev marked this pull request as draft November 10, 2025 13:46
@waketraindev waketraindev force-pushed the 2025-11-gui-comment-sensitive-commands branch from 48fefa8 to 02e2787 Compare November 10, 2025 19:50
@waketraindev
Copy link
Contributor Author

waketraindev commented Nov 10, 2025

Extended the blocking filter to include transaction-related RPCs send, sendall, sendmany and
sendtoaddress as these can also cause unintended effects.

Test covereage added for them

@waketraindev waketraindev force-pushed the 2025-11-gui-comment-sensitive-commands branch from 02e2787 to 5624f73 Compare November 10, 2025 20:36
@waketraindev waketraindev force-pushed the 2025-11-gui-comment-sensitive-commands branch from 5624f73 to 9d7cd51 Compare November 11, 2025 04:51
@waketraindev waketraindev marked this pull request as ready for review November 11, 2025 15:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@luke-jr luke-jr luke-jr requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@waketraindev @DrahtBot @luke-jr