-
Notifications
You must be signed in to change notification settings - Fork 982
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for enhanced analyses through code comments #1089
Conversation
- Parse /// ... on variable declaration - Disable reentrancy for variables marked as 'sec:non-reentrant' - Create a new detector looking for wrong access control ('sec:write-protection="some_func")
This pull request introduces 1 alert when merging dbb5121 into e3392dd - view on LGTM.com new alerts:
|
This pull request introduces 1 alert when merging 6a262a0 into dc0cec2 - view on LGTM.com new alerts:
|
This pull request introduces 1 alert when merging a033259 into 8344524 - view on LGTM.com new alerts:
|
I changed the comment to be in the form of |
This pull request introduces 1 alert when merging d286f51 into 61bcec4 - view on LGTM.com new alerts:
|
@montyly would it make sense to additionally support comments in the format (or similar to): /// @custom:security ignore-<detector_filter> Example: /// @dev `data` is uninitialized to save gas
/// @custom:security ignore-uninitialized-local
function sample() {
bytes memory data;
for (uint256 j = 0; j < attributes.length - 1; j++) {
if (!(attributes[j].length == 0)) {
data = abi.encodePacked(data, attributes[j]);
}
}
} |
@zarifpour yes, it's a good idea We actually support One caveat through, this is not possible with older versions of solidity |
This is a WIP that enables the support for code comments to enhance Slither's capacities.
For now, two types of comments are accepted:
security:non-reentrant
- variables marked with this comment will not trigger reentrancy warningssecurity:write-protection="func_signature"
- variables marked with this comment will require that any function that writes them have also an internal call tofunc_signature
(function or modifier)The long-term goal is to allow developers to provide simple information that can be used during a code review, and for tools.
For example on the following code
Here slither will:
withdraw
, as the variable is marked asnon-reentrant
set_not_protected
writes theexternal_contract
variable, while this variable should always be protected by a call toonlyOwner
(sec:write-protection="onlyOwner()"
)This is still a WIP, and ideas/feedback are welcome, so don't hesitate to share If you have ideas for other comments.