Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: shape name in create lockup #1094

Merged
merged 2 commits into from
Nov 26, 2024
Merged

feat: shape name in create lockup #1094

merged 2 commits into from
Nov 26, 2024

Conversation

smol-ninja
Copy link
Member

@smol-ninja smol-ninja commented Nov 22, 2024
edited
Loading

Closes #1086.

Changelog

  • I did not fuzz shape names in Fork and Invariant tests since its only emitted in event. So, concrete tests and fuzz tests are sufficient imo.
  • Re HTML injection attacks, a 32 bytes restriction on shape name has been applied.
  • The variable in the input parameter is called shape and not shapeName as I suppose the "name" keyword is implicit given that its a string type

@smol-ninja smol-ninja mentioned this pull request Nov 25, 2024
Merged
andreivladbrg
andreivladbrg requested changes Nov 26, 2024
View reviewed changes
Copy link
Member

@andreivladbrg andreivladbrg left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, left some comments below:

I did not fuzz shape names in Fork and Invariant tests since its only emitted in event. So, concrete tests and fuzz tests are sufficient imo

agree that we don't need to fuzz this in fork/invariants (it would be superfluous)

src/SablierLockup.sol Outdated Show resolved Hide resolved
src/types/DataTypes.sol Outdated Show resolved Hide resolved
src/types/DataTypes.sol Outdated Show resolved Hide resolved
test/utils/Defaults.sol Outdated Show resolved Hide resolved
script/Init.s.sol Outdated Show resolved Hide resolved
script/Init.s.sol Outdated Show resolved Hide resolved
test/integration/concrete/lockup-base/create-with-timestamps/createWithTimestamps.t.sol Outdated Show resolved Hide resolved
src/libraries/Errors.sol Outdated Show resolved Hide resolved
@andreivladbrg andreivladbrg mentioned this pull request Nov 26, 2024
Merged
@smol-ninja @andreivladbrg
refactor: moves shape name check to Helpers
f937d60 
docs: uses assertive comments in natspecs
test: makes default shape name with non-zero length

Co-authored-by: andreivladbrg <andreivladbrg@gmail.com>
@smol-ninja
Copy link
Member Author

Thanks for the review @andreivladbrg. I have incorporated all your suggestions except one. Let me know what you think about that.

@smol-ninja smol-ninja merged commit 1c2e385 into staging Nov 26, 2024
9 checks passed
@smol-ninja smol-ninja deleted the feat/emit-shape-name branch November 26, 2024 14:20
PaulRBerg
PaulRBerg reviewed Nov 26, 2024
View reviewed changes
Copy link
Member

@PaulRBerg PaulRBerg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, 32 bytes is not enough to prevent HTML injection. From ChatGPT convo:

<img src=x onerror=alert(1)>

I think we just have to accept the potential risk and sanitize the shape string at the UI level, cc @sablier-labs/frontend.

script/Init.s.sol Show resolved Hide resolved
@PaulRBerg PaulRBerg mentioned this pull request Nov 26, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andreivladbrg andreivladbrg andreivladbrg requested changes

@PaulRBerg PaulRBerg PaulRBerg left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@smol-ninja @PaulRBerg @andreivladbrg