fix: prevent false positive return for guarding dao member store #3121
Conversation
If we want to guard the MemStore by checking the active DAO realm, m.daoPkgPath must first be assigned a realm package path; otherwise, the isCallerDAORealm() method may return a false positive, failing to protect the MemStore.
github-actions
bot
added
the
🧾 package/realm
Codecov ReportAll modified and coverable lines are covered by tests ✅ 📢 Thoughts on this report? Let us know! |
|
Closing the issue: Manfred & Miloš discussed this and agreed that, if daoPkgPath isn't defined, realm guard should not be active. |
We need more discussion on this. The current implementation could introduce serious bugs, resulting in DAO vulnerabilities. After this PR, when "if daoPkgPath isn't defined, the realm guard should not be active," developers will need to explicitly remove the isCallerDAORealm() statement to indicate that realm access is not protected. Here is the reasoning behind this approach: For developers who write or read the code, the intention behind introducing the isCallerDAORealm() statement in the first place was to guard realm access. This method acts as a guard while abstracting the implementation details. However, the guard relies on a condition that may be defined or updated elsewhere. The current implementation could create ambiguity in the OR logic of the if statement. This PR addresses the issue: |
|
I'm a bot that assists the Gno Core team in maintaining this repository. My role is to ensure that contributors understand and follow our guidelines, helping to streamline the development process. The following requirements must be fulfilled before a pull request can be merged. These requirements are defined in this configuration file. Automated Checks🟢 The pull request head branch must be up-to-date with its base (more info) Manual ChecksNo manual checks match this pull request. Debug
|
If we want to guard the MemStore by checking the active DAO realm, m.daoPkgPath must first be assigned a realm package path; otherwise, the isCallerDAORealm() method may return a false positive, failing to protect the MemStore. <!-- please provide a detailed description of the changes made in this pull request. --> <details><summary>Contributors' checklist...</summary> - [ ] Added new tests, or not needed, or not feasible - [ ] Provided an example (e.g. screenshot) to aid review or the PR is self-explanatory - [ ] Updated the official documentation or not needed - [ ] No breaking changes were made, or a `BREAKING CHANGE: xxx` message was included in the description - [ ] Added references to related issues and PRs - [ ] Provided any useful hints for running manual tests </details> --------- Co-authored-by: Miloš Živković <[email protected]>
If we want to guard the MemStore by checking the active DAO realm, m.daoPkgPath must first be assigned a realm package path; otherwise, the isCallerDAORealm() method may return a false positive, failing to protect the MemStore.
Contributors' checklist...
BREAKING CHANGE: xxxmessage was included in the description