Backport release/v6.6: Require absolute path for evmone lib#3669
Conversation
When supplied via env var, require the path to be absolute to assure that the lib loaded is the same one we check the sha of. (cherry picked from commit f12a7e1)
PR SummaryLow Risk Overview This aligns operator overrides with the existing intent to load evmone via a fixed absolute path and SHA-256 check, reducing ambiguity about which directory is trusted. Tests cover rejection of relative overrides and successful resolution from an absolute temp directory. Reviewed by Cursor Bugbot for commit eb3fe0d. Bugbot is set up for automated code reviews on this repo. Configure here. |
|
The latest Buf updates on your PR. Results from workflow Buf / buf (pull_request).
|
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## release/v6.6 #3669 +/- ##
================================================
- Coverage 58.90% 58.02% -0.89%
================================================
Files 2225 2151 -74
Lines 183480 174935 -8545
================================================
- Hits 108086 101505 -6581
+ Misses 65691 64422 -1269
+ Partials 9703 9008 -695
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Straightforward backport of #3668 to release/v6.6.
Extended reasoning...
Overview
This PR backports #3668 to the release/v6.6 branch. The change adds a check in resolveLibPath() that rejects SEI_EVMONE_LIB_DIR values that are not absolute paths, plus two unit tests covering the rejected-relative and accepted-absolute cases.
Security risks
None introduced. The change tightens a security boundary by ensuring operator overrides for the evmone library directory must be absolute paths, preventing ambiguity in dynamic library resolution. The existing SHA-256 integrity verification still applies regardless.
Level of scrutiny
Low. This is a mechanical backport of an already-merged change to a release branch. The diff is identical in intent to the original PR, the surface area is tiny (3 added lines in production code), and the new tests directly exercise both branches of the new validation.
Other factors
The change matches the documented intent in the existing comment block on libDirEnv ("It must be an absolute path..."). Test coverage is adequate for the new behavior.
Backport of #3668 to
release/v6.6.