security: automatic remappings can be dangerous #9146
Labels
Comments
QGarchery
added
T-bug
zerosnacks
changed the title
zerosnacks
added
P-normal
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Component
Forge
Have you ensured that all of these are up to date?
What version of Foundry are you on?
forge 0.2.0 (a8c3e9c 2024-10-19T00:21:12.472031180Z)
What command(s) is the bug in?
forge build
Operating System
Linux
Describe the bug
Forge infers remappings by taking into account remappings of sub-projects. When there are conflicting remappings, it seems like the longest / most specified has the priority. This can be dangerous, as adding sub-projects can now completely change the code that is executed, even if the remappings of the root project are not changed.
Reproduced in this test. Notice that removing the
lib/interesting-projectmakes the test pass again. Also notice howinteresting-projectcan be very deep in the sub-projects, so it can be difficult to detect that the executed bytecode has changed.Proposed solution: make remappings of the root project have priority over remappings of sub-projects.
The text was updated successfully, but these errors were encountered: