Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs(world): add comments for prohibitDirectCallback modifier #2312

Merged
merged 6 commits into from
Feb 28, 2024
Merged

docs(world): add comments for prohibitDirectCallback modifier #2312

merged 6 commits into from
Feb 28, 2024

Conversation

yonadaa
Copy link
Contributor

@yonadaa yonadaa commented Feb 26, 2024
edited
Loading

Closes #2106 by explaining why we use the prohibitDirectCallback modifier.

The comment is a rewording of the PR description from the original PR that added it #1563

@yonadaa yonadaa requested review from alvrs and holic as code owners February 26, 2024 14:12
@changeset-bot changeset-bot
Copy link

changeset-bot bot commented Feb 26, 2024
edited
Loading

⚠️ No Changeset found

Latest commit: fa7e700

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@yonadaa yonadaa force-pushed the yonadaaa/explain-prohibit-direct-callback branch from 26d54da to ae5d2c3 Compare February 26, 2024 14:13
holic
holic reviewed Feb 27, 2024
View reviewed changes
packages/world/src/World.sol Outdated
@@ -51,6 +51,9 @@ contract World is StoreData, IWorldKernel {

/**
* @dev Prevents the World contract from calling itself.
* The world is not able to call itself; all operations to internal tables happen as internal library calls, and all calls to root system happen as a delegatecall to the system.
Copy link
Member

@holic holic Feb 27, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
* The world is not able to call itself; all operations to internal tables happen as internal library calls, and all calls to root system happen as a delegatecall to the system.
* The `World` is not able to call itself; all operations to internal tables happen as internal library calls, and all calls to root systems happen as a `delegatecall` to the system.

holic
holic reviewed Feb 27, 2024
View reviewed changes
packages/world/src/World.sol Outdated
@@ -51,6 +51,9 @@ contract World is StoreData, IWorldKernel {

/**
* @dev Prevents the World contract from calling itself.
* The world is not able to call itself; all operations to internal tables happen as internal library calls, and all calls to root system happen as a delegatecall to the system.
* However, since this is an important invariant, we make it explicit by reverting if `msg.sender` is `address(this)` in all `World` methods.
* If it was possible to make the `World` call itself, it would be possible to access internal tables that only the `World` should have access to.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this feels a bit incomplete, like we should either expand on how/why or just remove

If the World is able to call itself via delegatecall from a system, this would be a backdoor where that system would have "root" access to things like internal tables.

(maybe could workshop this exact sentence a bit more, but just providing a bit more context)

holic
holic reviewed Feb 28, 2024
View reviewed changes
docs/pages/world/reference/world.mdx
_Prevents the World contract from calling itself.
If the World is able to call itself via delegatecall from a system, the system would have root access to context like internal tables, causing a potential vulnerability.
Ideally this should not happen because all operations to internal tables happen as internal library calls, and all calls to root systems happen as a `delegatecall` to the system.
However, since this is an important invariant, we make it explicit by reverting if `msg.sender` is `address(this)` in all `World` methods._
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:chefkiss:

holic
holic reviewed Feb 28, 2024
View reviewed changes
packages/world/src/World.sol Outdated Show resolved Hide resolved
@holic holic merged commit 462c9ec into main Feb 28, 2024
11 checks passed
@holic holic deleted the yonadaaa/explain-prohibit-direct-callback branch February 28, 2024 11:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@holic holic holic left review comments

@alvrs alvrs Awaiting requested review from alvrs alvrs is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

add comments for prohibitDirectCallback modifier and why it should be used
2 participants
@yonadaa @holic