Skip to content

docs: add notes on upgrading vulnerable code#71

Merged
mooori merged 2 commits into
masterfrom
doc-upgradable
Jan 24, 2023
Merged

docs: add notes on upgrading vulnerable code#71
mooori merged 2 commits into
masterfrom
doc-upgradable

Conversation

@mooori
Copy link
Copy Markdown
Contributor

@mooori mooori commented Jan 24, 2023

  • Describes how contracts with vulnerable code might mitigate risks when using Upgradable.
  • Does some language reworks of preceding sections (doing that in a separate PR might be too much overhead).

@mooori mooori marked this pull request as ready for review January 24, 2023 09:16
@mooori mooori requested a review from birchmd January 24, 2023 09:16
birchmd
birchmd approved these changes Jan 24, 2023
View reviewed changes
Comment thread near-plugins/src/upgradable.rs
Comment on lines +23 to +24
//! After the code is deployed, it should be removed from staging. This will prevent old code with a
//! security vulnerability to be deployed.
Copy link
Copy Markdown

@birchmd birchmd Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a method to remove the staged code? If this is something that should happen every time should we make the upgrade implementation remove it automatically?

Copy link
Copy Markdown
Contributor Author

@mooori mooori Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m merging now with that paragraph as is, since it’ll be rewritten soon in upcoming PRs (see below).

Staged code can be removed by passing an empty vector to up_stage_code (ref). It’s currently not mentioned in docs and unidiomatic, I think. For that behavior it is expected to be wrapped in an Option? In that case I can open an issue to change the signature of up_stage_code to take code: Option<Vec<u8>>. Also it would be consistent with up_staged_code returning None if there’s no code staged.

Staged code should be removed automatically after deployment, it was also pointed out here. I’ll make a PR for that change soon.

Copy link
Copy Markdown

@birchmd birchmd Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Passing in an Option to allow manual unstaging sounds good to me. And it's good we'll be adding the automatic unstaging after deploy as well.

Copy link
Copy Markdown
Contributor Author

@mooori mooori Jan 24, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now there's #73 to track this.

@mooori mooori merged commit 1cf0aa6 into master Jan 24, 2023
@mooori mooori deleted the doc-upgradable branch January 24, 2023 15:01
@mooori mooori mentioned this pull request Jan 24, 2023
Open
birchmd pushed a commit that referenced this pull request Feb 20, 2023
@mooori @birchmd
docs: add notes on upgrading vulnerable code (#71)
099a881 
* Minor language updates of existing docs

* Add note on upgrading vulnerable code
This was referenced Mar 27, 2026
Closed
Closed
This was referenced Apr 7, 2026
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@birchmd birchmd birchmd approved these changes

+1 more reviewer

@mrLSD mrLSD mrLSD approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@mooori @mrLSD @birchmd