fix(go): bullet-proof against nil dereferences + more fuzzers #244
Conversation
odeke-em
force-pushed
the
fix-various-panics+more-fuzzers
branch
3 times, most recently
from
fda1509
to
6579e2c
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #244 +/- ##
===========================================
- Coverage 65.61% 38.66% -26.95%
===========================================
Files 7 5 -2
Lines 3621 4298 +677
===========================================
- Hits 2376 1662 -714
- Misses 1245 2314 +1069
- Partials 0 322 +322
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
odeke-em
changed the title
odeke-em
force-pushed
the
fix-various-panics+more-fuzzers
branch
from
6579e2c
to
5d2250a
Compare
|
Kindly cc-ing @crodriguezvega |
Thank you for opening the issues and this PR, @odeke-em. I will review this week. |
There was a problem hiding this comment.
Thanks a lot for bulletproofing the code, @odeke-em! I have left a bunch of comments for now; let me know what you think about them.
odeke-em
force-pushed
the
fix-various-panics+more-fuzzers
branch
3 times, most recently
from
e43e4a9
to
160fd1f
Compare
There was a problem hiding this comment.
Thank you, @odeke-em. I still find weird that we need to explicitly check if the pointer receiver is nil. When I remove the check and run make test no tests fail... Maybe I am not running the tests correctly?
Besides, if that case was reachable, then why not add a similar check to all other functions with a pointer receiver?
odeke-em
force-pushed
the
fix-various-panics+more-fuzzers
branch
from
160fd1f
to
1f01815
Compare
This change fixes a bunch of issues identified by Orijtech Inc's audit of ics23 which is a critical cosmos-sdk dependency and as per reports about the Dragonberry & Elderberry vulnerability reports, this package was put back on our radar to further audit and voila that uncovered some issues, some of which have beenfixed in this change. While here also added more fuzzers. To ensure that the fuzzers can run alright, added -short to any invocations of "go test". Fixes cosmos#241 Fixes cosmos#242 Fixes cosmos#243
odeke-em
force-pushed
the
fix-various-panics+more-fuzzers
branch
from
1f01815
to
ab5ea00
Compare
I mean the fuzzer flagged it but sure I did undo it. Kindly help me take another look @crodriguezvega and then merge if possible. Thank you! |
|
Just cc-ing the cosmos-sdk team to remind us to pull in the updated release once this code is merged in /cc @tac0turtle @julienrbrt @elias-orijtech |
|
@odeke-em sdk team doesnt maintain this repo. Carlos and the ibc team are best to do merges and approvals here |
|
Oh okay, gotcha and thank you @tac0turtle! |
This change fixes a bunch of issues identified by Orijtech Inc's audit
of ics23 which is a critical cosmos-sdk dependency and as per reports
about the Dragonberry & Elderberry vulnerability reports, this package
was put back on our radar to further audit and voila that uncovered
some issues, some of which have beenfixed in this change. While here
also added more fuzzers. To ensure that the fuzzers can run alright,
added -short to any invocations of "go test".
Fixes #241
Fixes #242
Fixes #243