Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate Zoe inputs #4068

Closed
katelynsills opened this issue Nov 12, 2021 · 4 comments
Closed

Validate Zoe inputs #4068

katelynsills opened this issue Nov 12, 2021 · 4 comments
Assignees
@jessysaurusrex @Chris-Hibbert
Labels
audit-restival Purple Team review of RUN Protocol audit-zestival Vulnerability assessment of ERTP + Zoe Zoe Contract Contracts within Zoe Zoe package: Zoe
Milestone
Mainnet 1 RC0

Comments

@katelynsills
Copy link
Contributor

What is the Problem Being Solved?

Zoe and contracts need a thorough analysis of whether user-provided inputs are being adequately validated.

Description of the Design

See https://github.com/Agoric/agoric-sdk/blob/master/packages/ERTP/docs/INPUT_VALIDATION.md for a walkthrough of the methodology needed. ERTP has been already done.

Security Considerations

Without this, there may be vulnerabilities in Zoe and Zoe contracts due to inadequate input validation.

Test Plan

Add additional tests with malicious or malformed inputs.
@katelynsills katelynsills added Zoe package: Zoe Zoe Contract Contracts within Zoe labels Nov 12, 2021
@katelynsills katelynsills mentioned this issue Nov 12, 2021
Merged
@erights erights added the audit-zestival Vulnerability assessment of ERTP + Zoe label Jan 10, 2022
@dtribble dtribble added the MN-1 label Jan 20, 2022
@Tartuffo Tartuffo added MN-1 and removed MN-1 labels Jan 20, 2022
@Tartuffo
Copy link
Contributor

Tartuffo commented Feb 4, 2022

@erights Please assign an estimate for this ticket.

@Tartuffo Tartuffo removed the MN-1 label Feb 7, 2022
@Tartuffo Tartuffo changed the title Analyze whether inputs in Zoe and contracts are being adequately validated Validate Zoe inputs Feb 9, 2022
@Tartuffo
Copy link
Contributor

Tartuffo commented Feb 9, 2022

This should be considered in Restival.
The time estimate is for the consideration by Restival, NOT to implement this fully in Zoe.

@jessysaurusrex jessysaurusrex added the audit-restival Purple Team review of RUN Protocol label Feb 9, 2022
@Tartuffo Tartuffo mentioned this issue Feb 14, 2022
Open
@Tartuffo Tartuffo added this to the Mainnet 1 milestone Mar 23, 2022
@Tartuffo
Copy link
Contributor

Tartuffo commented Apr 8, 2022

This still needs examined adversarially. Assigning to Jessy to make that happen.

@Tartuffo Tartuffo assigned jessysaurusrex and unassigned erights Apr 8, 2022
@dckc dckc mentioned this issue Jun 23, 2022
Open
@Chris-Hibbert Chris-Hibbert self-assigned this Jul 12, 2022
@dckc dckc added the pso label Aug 23, 2022
@Tartuffo Tartuffo removed the pso label Aug 26, 2022
@Tartuffo
Copy link
Contributor

This is outdated, replaced by #5955

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jessysaurusrex jessysaurusrex

@Chris-Hibbert Chris-Hibbert

Labels
audit-restival Purple Team review of RUN Protocol audit-zestival Vulnerability assessment of ERTP + Zoe Zoe Contract Contracts within Zoe Zoe package: Zoe
Projects
None yet
Milestone
Mainnet 1 RC0
Development

No branches or pull requests
7 participants
@dckc @erights @Tartuffo @dtribble @katelynsills @jessysaurusrex @Chris-Hibbert