Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add _disableInitializers() detection #1344

Merged
merged 4 commits into from
Aug 17, 2022
Merged

add _disableInitializers() detection #1344

merged 4 commits into from
Aug 17, 2022

Conversation

plotchy
Copy link
Contributor

@plotchy plotchy commented Aug 14, 2022

Enhance unprotected_upgradeable detector to remove _disableInitializers() false positive.

Related to #1236

@0xalpharush
Copy link
Contributor

0xalpharush commented Aug 14, 2022

Is there a reason you check all internal calls instead of just the contract's constructor?

EDIT: Oh nvm, this is only checking the constructor and not all functions already...

Would you mind adding test cases here and generating the output using python3 tests/test_detectors.py --generate?

@plotchy
Copy link
Contributor Author

plotchy commented Aug 14, 2022

I was looking at the function object and all_internal_calls with SolidityFunctions being filtered seemed to be the cleanest way to check against names of calls to inherited functions. I don't think there's a direct property to only check function calls within a function.

for f in functions:
for m in f.modifiers:
if m.name == "initializer":
return True
# filtering out SolidityFunction from the internal calls as we don't need to match against those names
internal_func_calls = [c for c in f.all_internal_calls() if not isinstance(c, SolidityFunction)]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This loops over the list twice. I think it'd be better to remove the list comprehension and iterate once over f.all_internal_calls()

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good suggestion!

@0xalpharush
Copy link
Contributor

Can you run pylint and black? You can obtain the correct versions by running pip install ".[dev]". The commands are here https://github.com/crytic/slither/blob/master/CONTRIBUTING.md#linters

plotchy and others added 2 commits August 15, 2022 10:06
Co-authored-by: alpharush <0xalpharush@protonmail.com>
@plotchy
Copy link
Contributor Author

plotchy commented Aug 15, 2022

Installing ".[dev]" seemed to brick the crytic_compile setup I had, getting Invalid compilation on tests now. I'll run the suite again when I figure it out

@plotchy
Copy link
Contributor Author

plotchy commented Aug 15, 2022

Tests + coverage came out good 👍️

@montyly
Copy link
Member

montyly commented Aug 17, 2022

This is great, thanks @plotchy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Whitelist _disableInitializers to avoid reporting unprotected-upgradeable-contract
3 participants