Skip to content

security: automatic remappings can be dangerous #9146

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Closed
2 tasks done
Tracked by #9157
QGarchery opened this issue Oct 19, 2024 · 1 comment · Fixed by #9246 or #9521
Closed
2 tasks done
Tracked by #9157

security: automatic remappings can be dangerous #9146

QGarchery opened this issue Oct 19, 2024 · 1 comment · Fixed by #9246 or #9521
Assignees
@grandizzy
Labels
A-remappings Area: remappings P-normal Priority: normal T-bug Type: bug
Milestone
v1.0.0

Comments

@QGarchery
Copy link

QGarchery commented Oct 19, 2024
edited
Loading

Component

Forge

Have you ensured that all of these are up to date?

  • Foundry
  • Foundryup

What version of Foundry are you on?

forge 0.2.0 (a8c3e9c 2024-10-19T00:21:12.472031180Z)

What command(s) is the bug in?

forge build

Operating System

Linux

Describe the bug

Forge infers remappings by taking into account remappings of sub-projects. When there are conflicting remappings, it seems like the longest / most specified has the priority. This can be dangerous, as adding sub-projects can now completely change the code that is executed, even if the remappings of the root project are not changed.

Reproduced in this test. Notice that removing the lib/interesting-project makes the test pass again. Also notice how interesting-project can be very deep in the sub-projects, so it can be difficult to detect that the executed bytecode has changed.

Proposed solution: make remappings of the root project have priority over remappings of sub-projects.
@QGarchery QGarchery added T-bug Type: bug T-needs-triage Type: this issue needs to be labelled labels Oct 19, 2024
@github-project-automation github-project-automation bot moved this to Todo in Foundry Oct 19, 2024
@zerosnacks zerosnacks changed the title Automatic remappings can be dangerous security: automatic remappings can be dangerous Oct 21, 2024
@zerosnacks zerosnacks added P-normal Priority: normal T-to-investigate Type: to investigate A-remappings Area: remappings and removed T-needs-triage Type: this issue needs to be labelled labels Oct 21, 2024
@zerosnacks zerosnacks added this to the v1.0.0 milestone Oct 22, 2024
@zerosnacks zerosnacks mentioned this issue Oct 22, 2024
Open
8 tasks
@grandizzy grandizzy mentioned this issue Nov 1, 2024
Merged
@grandizzy grandizzy self-assigned this Nov 4, 2024
@grandizzy grandizzy moved this from Todo to Ready For Review in Foundry Nov 4, 2024
@github-project-automation github-project-automation bot moved this from Ready For Review to Done in Foundry Nov 5, 2024
@grandizzy
Copy link
Collaborator

reopen per #9274

@grandizzy grandizzy reopened this Nov 6, 2024
@zerosnacks zerosnacks moved this from Done to In Progress in Foundry Nov 11, 2024
@grandizzy grandizzy removed the T-to-investigate Type: to investigate label Nov 14, 2024
@grandizzy grandizzy mentioned this issue Nov 20, 2024
Closed
2 tasks
@grandizzy grandizzy mentioned this issue Dec 9, 2024
Merged
@grandizzy grandizzy moved this from In Progress to Ready For Review in Foundry Dec 9, 2024
@MathisGD MathisGD mentioned this issue Jan 20, 2025
Closed
@github-project-automation github-project-automation bot moved this from Ready For Review to Done in Foundry Jan 22, 2025
@grandizzy grandizzy moved this from Done to Completed in Foundry Jan 27, 2025
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@grandizzy grandizzy

Labels
A-remappings Area: remappings P-normal Priority: normal T-bug Type: bug
Projects
Foundry
Status: Completed
Milestone
v1.0.0
4 participants
@QGarchery @grandizzy @zerosnacks and others