Skip to content

Commit

Permalink
Merge pull request #3654 from onflow/bastian/port-security-fixes-2
Browse files Browse the repository at this point in the history
Port security fixes
  • Loading branch information
turbolent authored Oct 30, 2024
2 parents 1399a6d + 2c239a7 commit efe9b38
Show file tree
Hide file tree
Showing 22 changed files with 657 additions and 537 deletions.
2 changes: 1 addition & 1 deletion ast/expression.go
Original file line number Diff line number Diff line change
Expand Up @@ -1416,7 +1416,7 @@ func FunctionDocument(
}

// NOTE: not all functions have a parameter list,
// e.g. the `destroy` special function
// e.g. the `init` (initializer, special function)
if parameterList != nil {

signatureDoc = append(
Expand Down
13 changes: 7 additions & 6 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -22,10 +22,10 @@ require (
github.com/turbolent/prettier v0.0.0-20220320183459-661cc755135d
go.opentelemetry.io/otel v1.8.0
go.uber.org/goleak v1.1.10
golang.org/x/crypto v0.1.0
golang.org/x/mod v0.14.0
golang.org/x/text v0.4.0
golang.org/x/tools v0.16.0
golang.org/x/crypto v0.28.0
golang.org/x/mod v0.17.0
golang.org/x/text v0.19.0
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1
)

Expand Down Expand Up @@ -56,8 +56,9 @@ require (
github.com/zeebo/assert v1.3.0 // indirect
github.com/zeebo/blake3 v0.2.3 // indirect
golang.org/x/lint v0.0.0-20200302205851-738671d3881b // indirect
golang.org/x/sys v0.15.0 // indirect
golang.org/x/term v0.6.0 // indirect
golang.org/x/sync v0.8.0 // indirect
golang.org/x/sys v0.26.0 // indirect
golang.org/x/term v0.25.0 // indirect
gonum.org/v1/gonum v0.6.1 // indirect
gopkg.in/yaml.v3 v3.0.1 // indirect
)
31 changes: 16 additions & 15 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,8 @@ github.com/fxamacker/cbor/v2 v2.4.1-0.20230228173756-c0c9f774e40c/go.mod h1:TA1x
github.com/fxamacker/circlehash v0.3.0 h1:XKdvTtIJV9t7DDUtsf0RIpC1OcxZtPbmgIH7ekx28WA=
github.com/fxamacker/circlehash v0.3.0/go.mod h1:3aq3OfVvsWtkWMb6A1owjOQFA+TLsD5FgJflnaQwtMM=
github.com/golang/freetype v0.0.0-20170609003504-e2365dfdc4a0/go.mod h1:E/TSTwGwJL78qG/PmXZO1EjYhfJinVAhrmmHX6Z8B9k=
github.com/google/go-cmp v0.5.8 h1:e6P7q2lk1O+qJJb4BtCQXlK8vWEO8V1ZeuEdJNOqZyg=
github.com/google/go-cmp v0.5.8/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI=
github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
github.com/itchyny/gojq v0.12.14 h1:6k8vVtsrhQSYgSGg827AD+PVVaB1NLXEdX+dda2oZCc=
github.com/itchyny/gojq v0.12.14/go.mod h1:y1G7oO7XkcR1LPZO59KyoCRy08T3j9vDYRV0GgYSS+s=
github.com/itchyny/timefmt-go v0.1.5 h1:G0INE2la8S6ru/ZI5JecgyzbbJNs5lG1RcBqa7Jm6GE=
Expand Down Expand Up @@ -121,8 +121,8 @@ go.uber.org/goleak v1.1.10 h1:z+mqJhf6ss6BSfSM671tgKyZBFPTTJM+HLxnhPC3wu0=
go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
golang.org/x/crypto v0.1.0 h1:MDRAIl0xIo9Io2xV565hzXHw3zVseKrJKodhohM5CjU=
golang.org/x/crypto v0.1.0/go.mod h1:RecgLatLF4+eUMCP1PoPZQb+cVrJcOPbHkTkbkB9sbw=
golang.org/x/crypto v0.28.0 h1:GBDwsMXVQi34v5CCYUm2jkJvu4cbtru2U4TN2PSyQnw=
golang.org/x/crypto v0.28.0/go.mod h1:rmgy+3RHxRZMyY0jjAJShp2zgEdOqj2AO7U0pYmeQ7U=
golang.org/x/exp v0.0.0-20180321215751-8460e604b9de/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20180807140117-3d87b88a115f/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
Expand All @@ -133,8 +133,8 @@ golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHl
golang.org/x/lint v0.0.0-20200302205851-738671d3881b h1:Wh+f8QHJXR411sJR8/vRBTZ7YapZaRvUcLFFJhusH0k=
golang.org/x/lint v0.0.0-20200302205851-738671d3881b/go.mod h1:3xt1FjdF8hUf6vQPIChWIBhFzV8gjjsPE/fR3IyQdNY=
golang.org/x/mod v0.1.1-0.20191105210325-c90efee705ee/go.mod h1:QqPTAvyqsEbceGzBzNggFXnrqF1CaUcvgkdR5Ot7KZg=
golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0=
golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/mod v0.17.0 h1:zY54UmvipHiNd+pm+m0x9KhZ9hl1/7QNMyxXbc6ICqA=
golang.org/x/mod v0.17.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c=
golang.org/x/net v0.0.0-20180218175443-cbe0f9307d01/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
Expand All @@ -143,8 +143,8 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
golang.org/x/net v0.0.0-20191109021931-daa7c04131f5/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE=
golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sync v0.8.0 h1:3NFvSEYkUoMifnESzZl15y791HH1qU2xm6eCJU5ZPXQ=
golang.org/x/sync v0.8.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190222072716-a9d3bda3a223/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
Expand All @@ -157,20 +157,21 @@ golang.org/x/sys v0.0.0-20200918174421-af09f7315aff/go.mod h1:h1NjWce9XRLGQEsW7w
golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
golang.org/x/sys v0.15.0 h1:h48lPFYpsTvQJZF4EKyI4aLHaev3CxivZmv7yZig9pc=
golang.org/x/sys v0.15.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
golang.org/x/sys v0.26.0 h1:KHjCJyddX0LoSTb3J+vWpupP9p0oznkqVk/IfjymZbo=
golang.org/x/sys v0.26.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA=
golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
golang.org/x/term v0.25.0 h1:WtHI/ltw4NvSUig5KARz9h521QvRC8RmF/cuYqifU24=
golang.org/x/term v0.25.0/go.mod h1:RPyXicDX+6vLxogjjRxjgD2TKtmAO6NZBsBRfrOLu7M=
golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
golang.org/x/text v0.4.0 h1:BrVqGRd7+k1DiOgtnFvAkoQEWQvBc25ouMJM6429SFg=
golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
golang.org/x/text v0.19.0 h1:kTxAhCbGbxhK0IwgSKiMO5awPoDQ0RpfiVYBfK860YM=
golang.org/x/text v0.19.0/go.mod h1:BuEKDfySbSR4drPmRPG/7iBdf8hvFMuRexcpahXilzY=
golang.org/x/tools v0.0.0-20180525024113-a5b4c53f6e8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190206041539-40960b6deb8e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
golang.org/x/tools v0.0.0-20200130002326-2f3ba24bd6e7/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28=
golang.org/x/tools v0.16.0 h1:GO788SKMRunPIBCXiQyo2AaexLstOrVhuAL5YwsckQM=
golang.org/x/tools v0.16.0/go.mod h1:kYVVN6I1mBNoB1OX+noeBjbRk4IUEPa7JJ+TJMEooJ0=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d h1:vU5i/LfpvrRCpgM/VPfJLg5KjxD3E+hfT1SH+d9zLwg=
golang.org/x/tools v0.21.1-0.20240508182429-e35e4ccd0d2d/go.mod h1:aiJjzUbINMkxbQROHiO6hDPo2LHcIPhhQsa9DLh0yGk=
golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE=
Expand Down
2 changes: 1 addition & 1 deletion npm-packages/cadence-parser/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@onflow/cadence-parser",
"version": "1.2.1-preview.52",
"version": "1.2.1",
"description": "The Cadence parser",
"homepage": "https://github.com/onflow/cadence",
"repository": {
Expand Down
68 changes: 67 additions & 1 deletion runtime/contract_update_validation_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,10 @@ func newContractRemovalTransaction(contractName string) string {
}

func newContractDeploymentTransactor(t *testing.T, config Config) func(code string) error {
return newContractDeploymentTransactorWithVersion(t, config, "")
}

func newContractDeploymentTransactorWithVersion(t *testing.T, config Config, version string) func(code string) error {

rt := NewTestInterpreterRuntimeWithConfig(config)

Expand Down Expand Up @@ -112,6 +116,9 @@ func newContractDeploymentTransactor(t *testing.T, config Config) func(code stri
events = append(events, event)
return nil
},
OnMinimumRequiredVersion: func() (string, error) {
return version, nil
},
}

nextTransactionLocation := NewTransactionLocationGenerator()
Expand All @@ -132,7 +139,18 @@ func newContractDeploymentTransactor(t *testing.T, config Config) func(code stri
// testDeployAndUpdate deploys a contract in one transaction,
// then updates the contract in another transaction
func testDeployAndUpdate(t *testing.T, name string, oldCode string, newCode string, config Config) error {
executeTransaction := newContractDeploymentTransactor(t, config)
return testDeployAndUpdateWithVersion(t, name, oldCode, newCode, config, "")
}

func testDeployAndUpdateWithVersion(
t *testing.T,
name string,
oldCode string,
newCode string,
config Config,
version string,
) error {
executeTransaction := newContractDeploymentTransactorWithVersion(t, config, version)
err := executeTransaction(newContractAddTransaction(name, oldCode))
require.NoError(t, err)

Expand Down Expand Up @@ -3764,3 +3782,51 @@ func TestRuntimeContractUpdateErrorsInOldProgram(t *testing.T) {
require.ErrorAs(t, err, &oldProgramError)
})
}

func TestAttachmentsUpdates(t *testing.T) {
t.Parallel()

testWithValidators(t,
"Keep base type",
func(t *testing.T, config Config) {

const oldCode = `
access(all) contract Test {
access(all) attachment A for AnyResource {}
}
`

const newCode = `
access(all) contract Test {
access(all) attachment A for AnyResource {}
}
`

err := testDeployAndUpdate(t, "Test", oldCode, newCode, config)
require.NoError(t, err)
},
)

testWithValidators(t,
"Change base type",
func(t *testing.T, config Config) {

const oldCode = `
access(all) contract Test {
access(all) attachment A for AnyResource {}
}
`

const newCode = `
access(all) contract Test {
access(all) attachment A for AnyStruct {}
}
`

err := testDeployAndUpdate(t, "Test", oldCode, newCode, config)

var expectedErr *stdlib.TypeMismatchError
require.ErrorAs(t, err, &expectedErr)
},
)
}
4 changes: 4 additions & 0 deletions runtime/empty.go
Original file line number Diff line number Diff line change
Expand Up @@ -260,3 +260,7 @@ func (EmptyRuntimeInterface) ValidateAccountCapabilitiesPublish(
) (bool, error) {
panic("unexpected call to ValidateAccountCapabilitiesPublish")
}

func (EmptyRuntimeInterface) MinimumRequiredVersion() (string, error) {
return "0.0.0", nil
}
18 changes: 18 additions & 0 deletions runtime/environment.go
Original file line number Diff line number Diff line change
Expand Up @@ -242,6 +242,8 @@ func (e *interpreterEnvironment) Configure(
e.InterpreterConfig.Storage = storage
e.coverageReport = coverageReport
e.stackDepthLimiter.depth = 0

e.configureVersionedFeatures()
}

func (e *interpreterEnvironment) DeclareValue(valueDeclaration stdlib.StandardLibraryValue, location common.Location) {
Expand Down Expand Up @@ -1425,3 +1427,19 @@ func (e *interpreterEnvironment) newValidateAccountCapabilitiesPublishHandler()
return ok, err
}
}

func (e *interpreterEnvironment) configureVersionedFeatures() {
var (
minimumRequiredVersion string
err error
)
errors.WrapPanic(func() {
minimumRequiredVersion, err = e.runtimeInterface.MinimumRequiredVersion()
})
if err != nil {
panic(err)
}

// No feature flags yet
_ = minimumRequiredVersion
}
2 changes: 2 additions & 0 deletions runtime/interface.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,6 +161,8 @@ type Interface interface {
path interpreter.PathValue,
capabilityBorrowType *interpreter.ReferenceStaticType,
) (bool, error)

MinimumRequiredVersion() (string, error)
}

type MeterInterface interface {
Expand Down
68 changes: 68 additions & 0 deletions runtime/runtime_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -11666,3 +11666,71 @@ func TestRuntimeIdentifierLocationToAddressLocationRewrite(t *testing.T) {

assert.Equal(t, cadence.NewInt(42), result)
}

func TestRuntimeBuiltInFunctionConfusion(t *testing.T) {

t.Parallel()

const contract = `
access(all) contract Foo {
access(all) resource getType {}
init() {
Foo.getType()
}
}
`

address := common.MustBytesToAddress([]byte{0x1})

newRuntimeInterface := func() Interface {

accountCodes := map[common.AddressLocation][]byte{}
var events []cadence.Event
var loggedMessages []string

return &TestRuntimeInterface{
Storage: NewTestLedger(nil, nil),
OnGetSigningAccounts: func() ([]common.Address, error) {
return []common.Address{address}, nil
},
OnResolveLocation: NewSingleIdentifierLocationResolver(t),
OnUpdateAccountContractCode: func(location common.AddressLocation, code []byte) error {
accountCodes[location] = code
return nil
},
OnGetAccountContractCode: func(location common.AddressLocation) (code []byte, err error) {
code = accountCodes[location]
return code, nil
},
OnEmitEvent: func(event cadence.Event) error {
events = append(events, event)
return nil
},
OnProgramLog: func(message string) {
loggedMessages = append(loggedMessages, message)
},
}
}

runtime := NewTestInterpreterRuntime()

nextTransactionLocation := NewTransactionLocationGenerator()

err := runtime.ExecuteTransaction(
Script{
Source: DeploymentTransaction(
"Foo",
[]byte(contract),
),
},
Context{
Interface: newRuntimeInterface(),
Location: nextTransactionLocation(),
},
)
RequireError(t, err)

var redeclarationError *sema.RedeclarationError
require.ErrorAs(t, err, &redeclarationError)
}
Loading

0 comments on commit efe9b38

Please sign in to comment.