Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: [quantstamp-15] only support executeWithSessionKey method in session key permission hooks #48

Merged
merged 2 commits into from
Jan 11, 2024
Merged

fix: [quantstamp-15] only support executeWithSessionKey method in session key permission hooks #48

merged 2 commits into from
Jan 11, 2024

Conversation

fangting-alchemy
Copy link
Collaborator

MSCA-15
Missing Validation for Execution Function in SessionKeyPermissionsPlugin Hooks

For the second portion of the recommendation.

However, even if the function selector is validated in the pre-execution hook, the plugin still cannot ensure that the hook is not triggered by a random plugin via the executeFromPlugin() call. Checking whether the sender supports the IPlugin interface does not fully solve the
issue since the sender can manipulate the return values of the supportsInterface() call. A possible mitigation is to add a flag that indicates whether the call to the hook is triggered via executeFromPlugin() or not.

If a plugin is authorized to call executeWithSessionKey, therefore passes the validations and hook checks, then updating limit for the session key is fine. No fix needed here.

@fangting-alchemy fangting-alchemy merged commit 540b0e3 into audit-2023-11-20 Jan 11, 2024
3 checks passed
@fangting-alchemy fangting-alchemy deleted the ft_fix_q15 branch January 11, 2024 00:28
fangting-alchemy added a commit that referenced this pull request Jan 18, 2024
@fangting-alchemy
fix: [quantstamp-15] only support executeWithSessionKey method in ses…
6f0e477 
…sion key permission hooks (#48)
jaypaik pushed a commit that referenced this pull request Jan 25, 2024
@fangting-alchemy @jaypaik
fix: [quantstamp-15] only support executeWithSessionKey method in ses…
f42b272 
…sion key permission hooks (#48)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@adam-alchemy adam-alchemy adam-alchemy approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@fangting-alchemy @adam-alchemy