From 48419904acaed7029b9ef728d8b8dc6be5ab207d Mon Sep 17 00:00:00 2001 From: Fangting Liu Date: Tue, 9 Jan 2024 15:36:48 -0800 Subject: [PATCH 1/2] fix: [quantstamp-15] only support executeWithSessionKey method in session key permission hooks --- .../permissions/SessionKeyPermissionsPlugin.sol | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/plugins/session/permissions/SessionKeyPermissionsPlugin.sol b/src/plugins/session/permissions/SessionKeyPermissionsPlugin.sol index 4f01329c..f61cf66f 100644 --- a/src/plugins/session/permissions/SessionKeyPermissionsPlugin.sol +++ b/src/plugins/session/permissions/SessionKeyPermissionsPlugin.sol @@ -247,7 +247,10 @@ contract SessionKeyPermissionsPlugin is ISessionKeyPermissionsPlugin, SessionKey // ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛ /// @dev A pre user op validation hook that checks the permissions of the key used to validate the user op. - function _checkUserOpPermissions(UserOperation calldata userOp) internal returns (uint256) { + function _checkUserOpPermissions(UserOperation calldata userOp) internal returns (uint256 validationRes) { + // if not calling executeWithSessionKey, nothing to do. + if (bytes4(userOp.callData) != ISessionKeyPlugin.executeWithSessionKey.selector) return validationRes; + // Decode the executions array and the session key from the user op's calldata (Call[] memory calls, address sessionKey) = abi.decode(userOp.callData[4:], (Call[], address)); @@ -327,7 +330,7 @@ contract SessionKeyPermissionsPlugin is ISessionKeyPermissionsPlugin, SessionKey // otherwise a packed struct of the aggregator address (0 here), and two // 6-byte timestamps indicating the start and end times at which the op // is valid. - return uint160(!validationSuccess ? 1 : 0) | (uint256(sessionKeyData.validUntil) << 160) + validationRes = uint160(!validationSuccess ? 1 : 0) | (uint256(sessionKeyData.validUntil) << 160) | (uint256(currentValidAfter) << (208)); } @@ -365,6 +368,9 @@ contract SessionKeyPermissionsPlugin is ISessionKeyPermissionsPlugin, SessionKey /// @dev Runs as a pre exec hook, and updates the spend limits of the session key in use function _updateLimitsPreExec(address account, bytes calldata callData) internal { + // if not calling executeWithSessionKey, nothing to do. + if (bytes4(callData) != ISessionKeyPlugin.executeWithSessionKey.selector) return; + (Call[] memory calls, address sessionKey) = abi.decode(callData[4:], (Call[], address)); uint256 callsLength = calls.length; From 64dd047fc5d99ef7a3207fda18bc4d2363a2789f Mon Sep 17 00:00:00 2001 From: Fangting Liu Date: Wed, 10 Jan 2024 12:52:47 -0800 Subject: [PATCH 2/2] remove extra var usage --- .../permissions/SessionKeyPermissionsPlugin.sol | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/plugins/session/permissions/SessionKeyPermissionsPlugin.sol b/src/plugins/session/permissions/SessionKeyPermissionsPlugin.sol index f61cf66f..b20474f7 100644 --- a/src/plugins/session/permissions/SessionKeyPermissionsPlugin.sol +++ b/src/plugins/session/permissions/SessionKeyPermissionsPlugin.sol @@ -247,9 +247,9 @@ contract SessionKeyPermissionsPlugin is ISessionKeyPermissionsPlugin, SessionKey // ┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛ /// @dev A pre user op validation hook that checks the permissions of the key used to validate the user op. - function _checkUserOpPermissions(UserOperation calldata userOp) internal returns (uint256 validationRes) { - // if not calling executeWithSessionKey, nothing to do. - if (bytes4(userOp.callData) != ISessionKeyPlugin.executeWithSessionKey.selector) return validationRes; + function _checkUserOpPermissions(UserOperation calldata userOp) internal returns (uint256) { + // If not calling executeWithSessionKey, nothing to do. Return 0 as validation success. + if (bytes4(userOp.callData) != ISessionKeyPlugin.executeWithSessionKey.selector) return 0; // Decode the executions array and the session key from the user op's calldata (Call[] memory calls, address sessionKey) = abi.decode(userOp.callData[4:], (Call[], address)); @@ -330,7 +330,7 @@ contract SessionKeyPermissionsPlugin is ISessionKeyPermissionsPlugin, SessionKey // otherwise a packed struct of the aggregator address (0 here), and two // 6-byte timestamps indicating the start and end times at which the op // is valid. - validationRes = uint160(!validationSuccess ? 1 : 0) | (uint256(sessionKeyData.validUntil) << 160) + return uint160(!validationSuccess ? 1 : 0) | (uint256(sessionKeyData.validUntil) << 160) | (uint256(currentValidAfter) << (208)); } @@ -368,7 +368,7 @@ contract SessionKeyPermissionsPlugin is ISessionKeyPermissionsPlugin, SessionKey /// @dev Runs as a pre exec hook, and updates the spend limits of the session key in use function _updateLimitsPreExec(address account, bytes calldata callData) internal { - // if not calling executeWithSessionKey, nothing to do. + // If not calling executeWithSessionKey, nothing to do. if (bytes4(callData) != ISessionKeyPlugin.executeWithSessionKey.selector) return; (Call[] memory calls, address sessionKey) = abi.decode(callData[4:], (Call[], address));