Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

task: check the lexical restrictions on gno module paths and compare to go #2426

Open
kristovatlas opened this issue Jun 24, 2024 · 8 comments
Open

task: check the lexical restrictions on gno module paths and compare to go #2426

kristovatlas opened this issue Jun 24, 2024 · 8 comments
Assignees
@kristovatlas
Labels
security Security-sensitive issue
Milestone
⏭️Next after mainnet

Comments

@kristovatlas
Copy link
Contributor

Description

https://go.dev/ref/mod#go-mod-file-ident
@kristovatlas kristovatlas added the security Security-sensitive issue label Jun 24, 2024
@kristovatlas kristovatlas added this to the 💡Someday/Maybe milestone Jun 24, 2024
@kristovatlas kristovatlas self-assigned this Jun 24, 2024
@Kouteki Kouteki moved this from Triage to Backlog in 🧙‍♂️gno.land core team Jul 5, 2024
@Kouteki Kouteki moved this from Backlog to Todo in 🧙‍♂️gno.land core team Oct 28, 2024
@zivkovicmilos
Copy link
Member

@kristovatlas any chance we can get this rolling in the next few days?

@kristovatlas
Copy link
Contributor Author

Ok so the lexical restrictions on gno.mod aren't documented anywhere I can find, but the code is fairly copy/pasted over from Go. Because of the complexity of the code, I don't think I'll tease out the differences with additional manual review, so my next step will be to write a little fuzzer that mutates a sample file and runs them through go mod and gno mod looking for discrepancies.

@kristovatlas
Copy link
Contributor Author

The relevant files:

https://github.com/golang/mod/blob/master/modfile/read.go parses the file into AST
https://github.com/golang/mod/blob/master/modfile/rule.go does more parsing related stuff and verifies the syntax rules

https://github.com/gnolang/gno/blob/master/gnovm/pkg/gnomod/read.go combines functions from both of these

@kristovatlas
Copy link
Contributor Author

Working on a simple fuzzing tool revealed the following issue: #3493

@kristovatlas
Copy link
Contributor Author

This is the fuzzing tool: https://github.com/kristovatlas/gno-fuzz-comparer

@thehowl
Copy link
Member

thehowl commented Jan 16, 2025

Why is this "security" and "mainnet beta launch" when gno.mod files are not even used or published on-chain?

@moul
Copy link
Member

moul commented Jan 16, 2025

It should not be labeled as "mainnet beta launch." Although it may be difficult to identify a scenario where this poses a security concern, it can indeed be one. I would categorize it as "low-impact security," which is not among our current priorities.

@kristovatlas
Copy link
Contributor Author

Bumped milestone to post-mainnet.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kristovatlas kristovatlas

Labels
security Security-sensitive issue
Projects
🍜 Seoul triage
Status: Core
🧙‍♂️gno.land core team
Status: Triage
🚀 main.gno.land launch 🚀
Status: TODO
Milestone
⏭️Next after mainnet
Development

No branches or pull requests
5 participants
@moul @thehowl @kristovatlas @Kouteki @zivkovicmilos