implementation for use of tsx instead of ts-node#4051
Conversation
|
Someone is attempting to deploy a commit to the Solana Foundation Team on Vercel. A member of the Team first needs to authorize it. |
|
@jamie-osec ping? |
|
I believe we're not merging any new non-fix PRs until 1.0 is cut |
Co-authored-by: Jamie Hill-Daniel <134328753+jamie-osec@users.noreply.github.com>
Otter-0x4ka5h
force-pushed
the
anchor#3785
branch
from
047edbc to
c5bca08
Compare
![hacktron-app[bot]](https://avatars.githubusercontent.com/in/1250513?s=60&v=4){kind=small}
There was a problem hiding this comment.
3 issues found across 3 files
| Severity | Count |
|---|---|
| 🔴 High | 1 |
| 🟡 Medium | 1 |
| 🟢 Low | 1 |
Comments Outside Diff (3)
🔴 High: Unvalidated Metadata Account in Fee Distribution
Location: tests/auction-house/programs/auction-house/src/utils.rs:301-303
The pay_creator_fees function deserializes metadata from an AccountInfo without verifying that the account is the correct, authorized metadata account for the transaction. An attacker can provide a malicious metadata account with arbitrary creator addresses and shares. The function subsequently iterates through remaining_accounts and performs transfers based on these malicious creator addresses. This allows an attacker to divert creator fees to arbitrary accounts by providing a crafted metadata account and corresponding accounts in the remaining_accounts list.
🟡 Medium: Unbounded decompression of IDL data leading to potential DoS
Location: cli/src/fetch/legacy.rs:37-74
The decompress_sessions function in legacy.rs reconstructs and decompresses IDL data from on-chain transactions without enforcing size limits on the decompressed output. An attacker who can influence the on-chain IDL account data could trigger a memory exhaustion (DoS) condition in the Anchor CLI tool when a developer attempts to fetch or inspect the IDL. The absence of a size check before or during the decompression process allows for potential resource exhaustion.
🟢 Low: Anchor safety check bypass via fully qualified paths
Location: lang/syn/src/parser/context.rs:261-269
The safety check for UncheckedAccount and AccountInfo in the Anchor framework's parser relies on segments.len() == 1 to identify these types. If a developer uses a fully qualified path (e.g., anchor_lang::prelude::UncheckedAccount), the path length will be greater than 1, causing the safety lint to ignore the field. This allows developers to bypass the mandatory /// CHECK: documentation requirement, potentially leading to insecure code in production programs.
4 participants
Closes #3785