Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: string slice panic & automated smart contract tests #76

Merged
merged 10 commits into from
Apr 17, 2024
Merged

fix: string slice panic & automated smart contract tests #76

merged 10 commits into from
Apr 17, 2024

Conversation

chris13524
Copy link
Member

@chris13524 chris13524 commented Mar 25, 2024
edited
Loading

Description

Fixes a possible panic when attempting to slice empty array response. This can be triggered by providing an invalid contract address to validate.

Also add automated tests for EIP-1271.

Also fix potential panics in EIP-191 signature verification, and globally deny array slicing.

How Has This Been Tested?

New tests

Due Diligence

  • Breaking change
  • Requires a documentation update
  • Requires a e2e/integration test update

@chris13524 chris13524 self-assigned this Mar 25, 2024
@chris13524 chris13524 mentioned this pull request Mar 25, 2024
Open
3 tasks
@chris13524 chris13524 marked this pull request as ready for review March 25, 2024 23:45
chris13524
chris13524 commented Mar 25, 2024
View reviewed changes
.github/workflows/ci.yaml
@@ -35,7 +35,7 @@ jobs:
rust: nightly
- name: "Tests"
cmd: nextest
args: run --workspace --all-features --features cacao --retries 3
args: run --workspace --all-features
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--all-features implies --features cacao

--retries doesn't seem to be necessary in latest version

chris13524
chris13524 commented Mar 25, 2024
View reviewed changes
blockchain_api/Cargo.toml
@@ -4,7 +4,7 @@ version = "0.1.0"
edition = "2021"

[dependencies]
relay_rpc = { path = "../relay_rpc" }
relay_rpc = { path = "../relay_rpc", features = ["cacao"] }
Copy link
Member Author

@chris13524 chris13524 Mar 25, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This doesn't actually compile without this; forgot in previous PRs. Wasn't caught because CI here always sets this feature.

chris13524
chris13524 commented Mar 26, 2024
View reviewed changes
relay_rpc/src/lib.rs Outdated
@@ -1,3 +1,5 @@
#![deny(clippy::indexing_slicing)]
Copy link
Member Author

@chris13524 chris13524 Mar 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Slices/indexing can be unsafe generally and easy to overlook for panics. People can #[allow(clippy::indexing_slicing)] for each instance to bypass if confident it won't panic.

Copy link

@nopestack nopestack Mar 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this can also be set on the manifest so it's applied to the entire codebase like so:

[lints.clippy]
indexing_slicing = "deny"

chris13524
chris13524 commented Mar 26, 2024
View reviewed changes
relay_rpc/src/jwt.rs
@@ -149,12 +149,17 @@ pub trait VerifyableClaims: Serialize + DeserializeOwned {

// Decode header.
data_encoding::BASE64URL_NOPAD
.decode_mut(header.as_bytes(), &mut output[..header_len])
.decode_mut(
Copy link
Member Author

@chris13524 chris13524 Mar 26, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think these are all safe slices already, but replacing with error catching instead of clippy allow because we are already using Results and there seems to be 1 shared Error variant for all cases here.

I would prefer if we had different error variants for each case, and separating the client errors from the server errors.

@chris13524 chris13524 force-pushed the fix/string-slice-panic branch from 72f9311 to a9ed09e Compare March 26, 2024 01:16
@chris13524 chris13524 force-pushed the fix/string-slice-panic branch from a9ed09e to 4424b74 Compare March 26, 2024 01:23
nopestack
nopestack reviewed Apr 11, 2024
View reviewed changes
relay_rpc/src/auth/cacao/signature/test_helpers.rs
.wait_with_output()
.await
.unwrap();
println!("forge status: {:?}", output.status);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

were these prints intended to be there?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah these are helpful if this tool fails to start for some reason. They don't get printed unless the test fails.

@chris13524 chris13524 merged commit 2ce3a45 into main Apr 17, 2024
8 checks passed
@chris13524 chris13524 deleted the fix/string-slice-panic branch April 17, 2024 16:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nopestack nopestack nopestack approved these changes

@geekbrother geekbrother geekbrother approved these changes

Assignees

@chris13524 chris13524

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@chris13524 @geekbrother @nopestack