Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Audit Textual any, coins, message #15550

Merged
merged 15 commits into from
Apr 14, 2023
Merged

Conversation

amaury1093
Copy link
Contributor

@amaury1093 amaury1093 commented Mar 27, 2023

Description

ref: #15549

Internal audit of the following pieces:


Author Checklist

All items are required. Please add a note to the item if the item is not applicable and
please add links to any relevant follow up issues.

I have...

  • included the correct type prefix in the PR title
  • added ! to the type prefix if API or client breaking change
  • targeted the correct branch (see PR Targeting)
  • provided a link to the relevant issue or specification
  • followed the guidelines for building modules
  • included the necessary unit and integration tests
  • added a changelog entry to CHANGELOG.md
  • included comments for documenting Go code
  • updated the relevant documentation or specification
  • reviewed "Files changed" and left comments if necessary
  • confirmed all CI checks have passed

Reviewers Checklist

All items are required. Please add a note if the item is not applicable and please add
your handle next to the items reviewed if you only reviewed selected items.

I have...

  • confirmed the correct type prefix in the PR title
  • confirmed ! in the type prefix if API or client breaking change
  • confirmed all author checklist items have been addressed
  • reviewed state machine logic
  • reviewed API design and naming
  • reviewed documentation is accurate
  • reviewed tests and test coverage
  • manually tested (if applicable)

@amaury1093 amaury1093 mentioned this pull request Mar 27, 2023
34 tasks
@amaury1093 amaury1093 changed the title chore: Audit Textual any, bytes chore: Audit Textual any Mar 27, 2023
@amaury1093 amaury1093 changed the title chore: Audit Textual any chore: Audit Textual any, coins Mar 27, 2023
@amaury1093 amaury1093 changed the title chore: Audit Textual any, coins chore: Audit Textual any, coins, message Mar 30, 2023
if isMsgRenderer && subscreens[0].Content == fmt.Sprintf("%s object", internalMsg.ProtoReflect().Descriptor().Name()) {
if isMsgRenderer {
if subscreens[0].Content != fmt.Sprintf("%s object", internalMsg.ProtoReflect().Descriptor().Name()) {
return nil, fmt.Errorf("any internal message expects %s, got %s", fmt.Sprintf("%s object", internalMsg.ProtoReflect().Descriptor().Name()), subscreens[0].Content)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the first condition isMsgRenderer is true, then the second condition also must be true, or else it's an implementation error upstream (e.g. in the protobuf values passed into Textual), and the user should be aware of it.

I propose to return an error here.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This puts some constraints on the future evolution of messageValueRenderer. E.g. suppose we decide to allow localization and render "%s objeto" when the account's locale is "PT". With the previous code we just skip the header suppression, but now it becomes an error.

Of course, the current code is sensitive to the future evolution of messageValueRenderer as well. We should at least add a cross-reference to this header recognition code from messageValueRenderer.header() so that we can update this code if we ever modify the header.

Copy link
Member

@facundomedica facundomedica Apr 11, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know if I fully understand your point @JimLarson it seems like if we don't return an error here, it should fail at signature verification right?

I think returning an error is fine, as long as we check against msgRenderer.header() (and stop using fmt.Sprintf; I have that in a separate PR).

To evolve the message renderer we could modify the header() to do stuff based on the message, or something like that.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JimLarson I'll merge this, we can re-discuss this in my follow up pr

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Following up on this - since we're always adding the expected header back in Parse(), it wouldn't round-trip correctly if MessageValueRenderer didn't add the expected header, so it's probably the best to do as this code does - throw an error if you don't see the expected header. I withdraw my suggestion.

@amaury1093 amaury1093 marked this pull request as ready for review March 30, 2023 10:18
@amaury1093 amaury1093 requested a review from a team as a code owner March 30, 2023 10:18
@github-prbot github-prbot requested review from a team, atheeshp and likhita-809 and removed request for a team March 30, 2023 10:18
@facundomedica facundomedica self-assigned this Mar 31, 2023
x/tx/signing/textual/types.go Outdated Show resolved Hide resolved
x/tx/signing/textual/types.go Outdated Show resolved Hide resolved
facundomedica and others added 3 commits April 5, 2023 16:44
Co-authored-by: 0000 1000 1101 0010 <96826920+08d2@users.noreply.github.com>
Co-authored-by: 0000 1000 1101 0010 <96826920+08d2@users.noreply.github.com>
Copy link
Contributor

@JimLarson JimLarson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good with some minor changes.

docs/architecture/adr-050-sign-mode-textual-annex1.md Outdated Show resolved Hide resolved
if isMsgRenderer && subscreens[0].Content == fmt.Sprintf("%s object", internalMsg.ProtoReflect().Descriptor().Name()) {
if isMsgRenderer {
if subscreens[0].Content != fmt.Sprintf("%s object", internalMsg.ProtoReflect().Descriptor().Name()) {
return nil, fmt.Errorf("any internal message expects %s, got %s", fmt.Sprintf("%s object", internalMsg.ProtoReflect().Descriptor().Name()), subscreens[0].Content)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This puts some constraints on the future evolution of messageValueRenderer. E.g. suppose we decide to allow localization and render "%s objeto" when the account's locale is "PT". With the previous code we just skip the header suppression, but now it becomes an error.

Of course, the current code is sensitive to the future evolution of messageValueRenderer as well. We should at least add a cross-reference to this header recognition code from messageValueRenderer.header() so that we can update this code if we ever modify the header.

x/tx/signing/textual/types.go Outdated Show resolved Hide resolved
@facundomedica facundomedica enabled auto-merge April 14, 2023 13:45
@facundomedica facundomedica added this pull request to the merge queue Apr 14, 2023
Merged via the queue into main with commit 0931193 Apr 14, 2023
@facundomedica facundomedica deleted the am/15549-textual-audit branch April 14, 2023 22:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants