Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Update stellar-strkey to 0.0.18 #547
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: main
Are you sure you want to change the base?
Uh oh!
There was an error while loading. Please reload this page.
Update stellar-strkey to 0.0.18 #547
Changes from 5 commits
c7796c16f3e5cae69fdd3150246b5c69faa355ac1dFile filter
Filter by extension
Conversations
Uh oh!
There was an error while loading. Please reload this page.
Jump to
Uh oh!
There was an error while loading. Please reload this page.
There are no files selected for viewing
Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.
Uh oh!
There was an error while loading. Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's a subtle meaningful change here that I'd like to give a heads up and a chance for commentary before this is merged.
The
Display::fmtimplementation is called byToString::to_string.Display::fmtcan return an error, butToString::to_stringdoesn't and so panics iffmtreturns an error.Previously you could construct a
SignerKeyEd25519SignedPayloadwith a zero length payload all the way up to au32::MAXlength payload and it would render a string. It would panic in payloads longer thanu32::MAX. However, that string generated might be invalid, since a payload must be 1 to 64 bytes long in stellar-core, we implemented the rs-stellar-strkey parse impl to always require within those lengths. Attempts to then parse the key would error.The latest rs-stellar-strkey rectified the asymmetry in its own type for two reasons:
This has a side-effect that it's possible to construct a
SignerKeyEd25519SignedPayloadxdr type whoseDisplayimpl returns an error and itsToStringimpl panics. It was possible before if the payload wasu32::MAX+1+, but now it is possible with0and65+I think this change is inevitable unless we remove the limits from rs-stellar-strkey, and walked back the no-std no-alloc support for that type.
I don't think this can effect stellar-core, but there is some XDR, albeit invalid, that cannot be represented in string and json forms.
cc @graydon @dmkozh @mootz12
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't understand why do we need to panic in the Display impl. Can't we just return something like
<invalid>? While this may not necessarily affect env today, I can imagine code that logs the invalid payload if it fails some kind of validation - it would be weird for the logging logic to cause panic then.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It will create the same problem that the auditors had with the strkey library, that the type will not roundtrip which can also be a failure point similar to the failure point we are trying to address here. Maybe it's more appropriate to use the
Debugimpl in that case.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I could look at introducing a validation into the XDR type so that it cannot be constructed with a payload outside the range. We do that today with max lengths on XDR var arrays, but not min lengths.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is that an issue, if the input is invalid? IMO it doesn't make sense to require every input to be able to roundtrip. Moreover, this is about XDR types, not strkey types. There is no requirement for XDR types to roundtrip through Display, is there? It's not a serialization format.
That's an option, but I'm still not sold on the roundtrip argument TBH.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When a
SignerKeyEd25519SignedPayloadis decoded or constructed with an emptypayload(the generated field isBytesM<64>, which has no non-empty invariant), this new call tostellar_strkey::ed25519::SignedPayload::newreturnsInvalidPayloadLength. Mapping that tofmt::ErrormakesDisplayfail, so callers using.to_string()panic and serdeSerializeDisplaycan no longer serialize a value that the XDR reader accepts. Either preserve the old encoding path for empty payloads or reject that value before it can be represented as this XDR type.Useful? React with 👍 / 👎.
Uh oh!
There was an error while loading. Please reload this page.