Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate: potential ways of preventing malicious contracts from being loaded #2115

Open
taoeffect opened this issue Jun 24, 2024 · 0 comments · May be fixed by #2494
Open

Investigate: potential ways of preventing malicious contracts from being loaded #2115

taoeffect opened this issue Jun 24, 2024 · 0 comments · May be fixed by #2494
Assignees
@taoeffect @corrideat
Labels
Kind:Core Anything that changes or affects the fundamental core data structures & design of the application. Note:Question Note:Research Note:Security Priority:High
Milestone
Final breaking ch...

Comments

@taoeffect
Copy link
Member

Problem

It is possible for someone to upload both contracts and contract manifests as files to the server, and then, for example, using either a malicious invite link (that references a groupid that uses these manifests), or possibly by registering their username with a modified identity contract, to get malicious contracts to load on the client.

Solution

Look into ways to restrict contract manifests from being uploaded by users, so that only the developers are apps are allowed to define contract manifests for their apps.
@taoeffect taoeffect added Note:Question Note:Security Priority:High Note:Research Kind:Core Anything that changes or affects the fundamental core data structures & design of the application. labels Jun 24, 2024
@corrideat corrideat mentioned this issue Jan 3, 2025
Open
@taoeffect taoeffect added this to the Final breaking changes milestone Jan 6, 2025
@corrideat corrideat linked a pull request Jan 10, 2025 that will close this issue
Changes to contract CIDs (requires updating the chel command) #2494
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@taoeffect taoeffect

@corrideat corrideat

Labels
Kind:Core Anything that changes or affects the fundamental core data structures & design of the application. Note:Question Note:Research Note:Security Priority:High
Projects
None yet
Milestone
Final breaking changes
Development

Successfully merging a pull request may close this issue.

Changes to contract CIDs (requires updating the chel command) okTurtles/group-income
2 participants
@taoeffect @corrideat