What is better, pre-existing Bitcoin-core API bindings for python or custom wrapper functions

5

How advisable is using the following code to query the bitcoin core as compared to using some python RPC library.

import os
btc_prefix = 'bitcoin-cli '

def getblockcount(btc_prefix):
    print("in getblockcount")
    cmd = ' '.join([btc_prefix, 'getblockcount'])
    response = os.popen(cmd).read()
    return int(response)
getblockcount(btc_prefix)

It is kind of a wrapper function for the core API's. What are the drawbacks/advantages of using the above code. Also, does it affect security in anyway.

Shabahat M. Ayubi

Posted 2016-11-01T08:40:42.853

Reputation: 1 439

Answers

1

bitcoin-cli is just a wrapper for the RPC functions so you're essentially doing the same exact thing as an RPC call. Generally, using RPC is preferred since you don't have to rely on the bitcoin-cli executable being on the system and in your current path. This most likely won't work on windows, for example.

In general RPC is preferred because you can access it from other systems. With your program, you'll only be able to run it on the system that has bitcoin core installed whereas with RPC, you can run from other systems.

Jimmy Song

Posted 2016-11-01T08:40:42.853

Reputation: 7 330

2It also has far lower overhead, as you don't need to start a new process for each request – Pieter Wuille – 2016-12-21T18:02:23.363

@PieterWuille What has a lower overhead? – Shabahat M. Ayubi – 2016-12-23T07:46:32.543

@Jimmy There isn't a security flaw as such in my approach ? – Shabahat M. Ayubi – 2016-12-23T07:50:58.377

1Using bitcoin-cli is very slow. Use JSON-RPC from your program directly; it will be much more flexible and faster than using Bitcoin Core's wrapper binary. – Pieter Wuille – 2016-12-23T10:02:13.967

The security flaw in getblockcount is that an attacker can execute anything on your system (e.g. pass in btc_prefix as rm -rf /). I would strongly advise you use JSON-RPC which will only execute what you want. – Jimmy Song – 2016-12-23T20:00:22.123

@JimmySong But then as you mentioned that the approach I am using does not allow anyone accessing bitcoind remotely(which is required in my case). And it is an internal module not exposed to any API where you can pass btc_prefix. It is saved in a config file. Does it pose any similar security flaw given the conditions. – Shabahat M. Ayubi – 2016-12-26T13:42:04.313

If your internal app is locked down from a security perspective, then of course it's going to be secure whatever code you run on it. Generally, when you ask for a security audit, you assume some external party has access. – Jimmy Song – 2016-12-26T16:14:10.730