Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validate construction and deserialization of validator::Set #1350

Merged
merged 13 commits into from
Sep 14, 2023
Merged

Validate construction and deserialization of validator::Set #1350

merged 13 commits into from
Sep 14, 2023

Conversation

mzabaluev
Copy link
Contributor

@mzabaluev mzabaluev commented Sep 11, 2023
edited
Loading

Closes #1348

Use the validating conversion from the protobuf struct ValidatorSet, which has the same schema including the now optionally deserialized total_voting_power field.
This is to ensure we don't blindly trust total_voting_power if it's
present in the serialization, and accept when it's absent.

Also ensure no integer overflows can occur while calculating the total voting power, and check the resulting power against
the protocol-defined sanity limit.

  • Referenced an issue explaining the need for the change
  • Updated all relevant documentation in docs
  • Updated all code comments where relevant
  • Wrote tests
  • Added entry in .changelog/

@mzabaluev
proto: deserialize total_voting_power in ValidatorSet
8373a81 
If the field is present, deserialize it into the struct field
rather than skipping it completely. This will allow validation
when deserializing validator::Set in tendermint.
@mzabaluev
tendermint: harden total_voting_power for Set
e233d8b 
Calculate the total voting power without overflows and validate
against the protocol-defined limit, provided as the
Set::MAX_TOTAL_VOTING_POWER const.

In the conversion from tendermint-proto struct VaidatorSet,
check the unmarshalled total_voting_power value to match the calculated
sum of the list's validators, unless it's the default 0.
@mzabaluev
tendermint: deserialize validator::Set via TryFrom
ac54fd4 
Use the validating conversion from the protobuf struct
ValidatorSet, which should have the same schema including
the optionally deserialized total_voting_power field.
This is to ensure we don't blindly trust total_voting_power if it's
present in the serialization, and accept when it's absent.
@mzabaluev
proto: ValidatorSet.total_voting_power is string
e0f63f7
@mzabaluev
tendermint: fix formatting of InvalidKey error
293c129 
The Display impl called itself in infinite recursion.
@mzabaluev
proto: restore custom PublicKey serializers
af72d37 
These are used in serialization for ValidatorSet and
LightClientAttackEvidence.
@codecov-commenter
Copy link

codecov-commenter commented Sep 11, 2023
edited
Loading

Codecov Report

Merging #1350 (fc5f777) into main (a73362d) will decrease coverage by 0.1%.
The diff coverage is 45.3%.

❗ Current head fc5f777 differs from pull request most recent head af72d37. Consider uploading reports for the commit af72d37 to get more accurate results

@@           Coverage Diff           @@
##            main   #1350     +/-   ##
=======================================
- Coverage   59.5%   59.5%   -0.1%     
=======================================
  Files        272     273      +1     
  Lines      26974   26986     +12     
=======================================
- Hits       16068   16060      -8     
- Misses     10906   10926     +20
Files Changed Coverage Δ
tendermint/src/error.rs 0.0% <0.0%> (ø)
proto/src/serializers/public_key.rs 17.9% <17.9%> (ø)
tendermint/src/validator.rs 81.0% <93.1%> (+8.4%) ⬆️

... and 11 files with indirect coverage changes

📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more

@mzabaluev
Unit tests for validator::Set deserialization
358611c 
Test for correct deserialization, the total voting power exceeding the
protocol-defined limit, the total voting power computation that would
overflow the u64 rejecting the value with the appropriate error,
and a mismatch of total_voting_power field value.
@mzabaluev
proto: serializers::from_str_allow_null
7de70f6
@mzabaluev
proto: allow Validator.proposer_priority be null
7ec26db 
Some light-client-js tests use fixtures where it was null.
The field used to be skipped in previous serialization.
@mzabaluev
proto: accept owned strings in from_str_allow_null
8757ff3 
The optimization broke deserialize with deserializers that cannot
always borrow.
@mzabaluev
Changelog entries for #1350
ab4ab79
@mzabaluev mzabaluev marked this pull request as ready for review September 12, 2023 20:10
@mzabaluev mzabaluev requested a review from romac September 12, 2023 20:10
@mzabaluev mzabaluev changed the title Validate construction and deserialization of validator::Set Validate construction and deserialization of validator::Set Sep 12, 2023
@mzabaluev
Do test integer overflow for total_voting_power
26eef09 
Python tricked me and the values were a bit low.
romac
romac approved these changes Sep 14, 2023
View reviewed changes
Copy link
Member

@romac romac left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great work, thanks! 🙏

@mzabaluev mzabaluev merged commit 1e23a31 into main Sep 14, 2023
@mzabaluev mzabaluev deleted the mikhail/validator-set-deserialization-fixes branch September 14, 2023 15:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@romac romac romac approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Serialization for validator::Set and related proto structs is inconsistent, lacks validation
3 participants
@mzabaluev @codecov-commenter @romac