-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathuse_of_client_context_bech32.ql
61 lines (56 loc) · 2.1 KB
/
use_of_client_context_bech32.ql
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
/**
* @name Client context should have Bech32 settings
* @description In SDK v0.52, the client package now utilizes the Context to derive addresses. Your Context does not contain the valid settings
* @kind problem
* @problem.severity error
* @precision high
* @id go/no-context-bech32-settings
* @tags correctness
* modules
* cosmos-sdk
*/
import go
class ContextTracking extends DataFlow::Configuration {
ContextTracking() { this = "ContextTracking" }
override predicate isSource(DataFlow::Node source) {
source.getType().getPackage().getPath() = "github.com/cosmos/cosmos-sdk/client" and
source.getType().getName() = "Context" and
source.asExpr() instanceof CompositeLit
}
override predicate isSink(DataFlow::Node sink) {
exists(CallExpr call |
call.getTarget().(Method).getName() = "WithAddressCodec"
)
and exists(CallExpr call |
call.getTarget().(Method).getName() = "WithValidatorAddressCodec"
)
and exists(CallExpr call |
call.getTarget().(Method).getName() = "WithConsensusAddressCodec"
)
and exists(CallExpr call |
call.getTarget().(Method).getName() = "WithAddressPrefix"
)
and exists(CallExpr call |
call.getTarget().(Method).getName() = "WithValidatorPrefix"
)
}
override predicate isAdditionalFlowStep(DataFlow::Node pred, DataFlow::Node succ) {
exists(CallExpr call |
// Track through method calls where one WithXXX leads to another
call.getTarget().(Method).getReceiver().getType().getName() = "Context" and
pred = DataFlow::receiverNode(call.getTarget().(Method).getReceiver()) and
succ.asExpr() = call
)
}
}
from DataFlow::Node source
where
source.getType().getPackage().getPath() = "github.com/cosmos/cosmos-sdk/client" and
source.getType().getName() = "Context" and
source.asExpr() instanceof CompositeLit and
not exists(DataFlow::Node sink |
any(ContextTracking config).hasFlow(source, sink)
)
select
source,
"Found a client.Context instance without a With{AddressCodec/ValidatorAddressCodec/ConsensusAddressCodec/AddressPrefix/ValidatorPrefix} call"