Skip to content

[XCM] Investigate better support for filtering XCM programs with Barrier #7148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bkontur opened this issue Jan 14, 2025 · 2 comments · Fixed by #7200 or #7169 · May be fixed by #6838
Closed

[XCM] Investigate better support for filtering XCM programs with Barrier #7148

bkontur opened this issue Jan 14, 2025 · 2 comments · Fixed by #7200 or #7169 · May be fixed by #6838
Assignees
@raymondkfcheung
Labels
C1-mentor A task where a mentor is available. Please indicate in the issue who the mentor could be. T6-XCM This PR/Issue is related to XCM.

Comments

@bkontur
Copy link
Contributor

bkontur commented Jan 14, 2025
edited by raymondkfcheung
Loading

Description

Imagine we have a barrier like the one below. For example, we want to add new rules:

  1. Discard/deny any XCM program that contains LockAsset (no real scenario, just for testing purposes to showcase XCM filtering).
  2. Discard/deny any XCM program that contains ExportMessage from a particular origin xyz.

Actually, we can use DenyThenTry e.g.:

pub type Barrier = TrailingSetTopicAsId<
	DenyThenTry<
                // `Deny` filter tuple
                (
			DenyLockAsset,
			DenyExportMessage,
                ),
                //  then `Allow` filter tuple
		(
			TakeWeightCredit,
			AllowKnownQueryResponses<PolkadotXcm>,
			WithComputedOrigin<
				(
					AllowTopLevelPaidExecutionFrom<Everything>,
					AllowExplicitUnpaidExecutionFrom<(
						ParentOrParentsPlurality,
						Equals<RelayTreasuryLocation>,
						Equals<SiblingPeople>,
					)>,
					AllowSubscriptionsFrom<ParentRelayOrSiblingParachains>,
					AllowHrmpNotificationsFromRelayChain,
				),
				UniversalLocation,
				ConstU32<8>,
			>,
		),
	>,
>;

But this DenyAndTry has some problems mentioned below.

Problem 1 - ShouldExecute tuple implementation and Deny filter tuple

The tuple implementation for ShouldExecute returns Ok(()) immediately when one of the tuple items passes Tuple::should_execute().

Relates to comment.

This is problematic for the Deny filter because Deny requires all items in the tuple to be checked. For example, if DenyCase1 is okay (meaning it does not deny execution), the tuple will return Ok(()) [here](https://github.com/paritytech/polkadot-sdk/blob/master/polkadot/xcm/xcm-executor/src/traits/should_execute.rs#L63-L74). However, DenyCase2 and DenyCase3 will be skipped, which is not the desired behavior.

DenyThenTry<
    (
        DenyCase1,     
        DenyCase2,     
        DenyCase3,     
    ),
    (
        AllowCase1,     
        AllowCase2,     
        AllowCase3,     
    )
>

Solution

#7169

Problem 2 - Barrier vs nested XCM validation

Instructions like SetErrorHandler(xcm), SetAppendix(xcm), and ExecuteWithOrigin { xcm, .. } are meant to be executed on the local chain, but their inner xcm is not actually checked against the Barrier.

We do not have specific barriers for these instructions, which means they could potentially bypass the Barrier.

DenyReserveTransferToRelayChain is just one example (below). We may encounter different cases in the future. For instance, Snowbridge already has a specific case: #6838.

Example:

For example, all our system parachain barriers are structured like this barrier below.

Ok, we can deny the instruction TransferReserveAsset { dest: Location { parents: 1, interior: Here }, .. } using DenyReserveTransferToRelayChain on the incoming XCM for system parachains. However, nothing prevents us from wrapping TransferReserveAsset { dest: Location { parents: 1, interior: Here }, .. } with SetAppendix or ExecuteWithOrigin or SetErrorHandler.

pub type Barrier = TrailingSetTopicAsId<
	DenyThenTry<
		DenyReserveTransferToRelayChain,
		(
			TakeWeightCredit,
			AllowKnownQueryResponses<PolkadotXcm>,
			WithComputedOrigin<
				(
					AllowTopLevelPaidExecutionFrom<Everything>,
					AllowExplicitUnpaidExecutionFrom<(
						ParentOrParentsPlurality,
						Equals<RelayTreasuryLocation>,
						Equals<bridging::SiblingBridgeHub>,
					)>,
					AllowSubscriptionsFrom<ParentRelayOrSiblingParachains>,
					AllowHrmpNotificationsFromRelayChain,
				),
				UniversalLocation,
				ConstU32<8>,
			>,
		),
	>,
>;

Possible solution - be explicit

Adding new DenyInstructionsWithXcmFor barrier which checks nested XCM for SetErrorHandler(xcm), SetAppendix(xcm), and ExecuteWithOrigin { xcm, .. } instruction.

pub type Barrier = TrailingSetTopicAsId<
	DenyThenTry<
                (
                               // Deny for top level XCM program 
                               DenyReserveTransferToRelayChain,
                               // Dedicated barrier for nested XCM programs
                               DenyInstructionsWithXcmFor<
                                                // Repeat all Deny filters here 
                                                DenyReserveTransferToRelayChain,
                                >
                ),
		(
		                ...
				TakeWeightCredit
		                ...
		)

See PoC for DenyInstructionsWithXcmFor

This will also require #7169 to be fixed/merged.

Solution

#7200

Related another potential problem in xcm-executor

I think another potential problem could be in the xcm-executor, where we recursively trigger self.process(..).

  1. We use Barrier only once during XcmExecutor::execute(message) here.
  2. If it passes, we trigger let result = vm.process(message); here.
  3. Once processed (either Ok or Err), we take the XCM from SetAppendix or SetErrorHandler and again trigger let result = vm.process(message);.
  4. A similar use case exists for ExecuteWithOrigin, where we again trigger self.process(message).

An easy solution seems to be to trigger Config::Barrier::should_execute(nested_xcm) inside or before self.process(message) or vm.process(message). However, this won't work because, as seen in the example Barrier above, it would require every nested XCM to contain UnpaidExecution or BuyExecution/PayFees.

Therefore, we may need another Barrier/Filter specifically for nested XCM in the XcmExecutor, or we need to adjust the existing Barrier logic.

Scenario Test

#7200 should fix this potential issue, please check the scenario test.
@bkontur bkontur added the T6-XCM This PR/Issue is related to XCM. label Jan 14, 2025
@bkontur bkontur moved this to Todo in Bridges + XCM Jan 14, 2025
@bkontur bkontur mentioned this issue Jan 14, 2025
Draft
3 tasks
@bkontur bkontur added the C1-mentor A task where a mentor is available. Please indicate in the issue who the mentor could be. label Jan 14, 2025
@yrong yrong mentioned this issue Jan 15, 2025
Merged
2 tasks
@yrong
Copy link
Contributor

yrong commented Jan 15, 2025

#7169 for the fix

@bkontur
Copy link
Contributor Author

bkontur commented Jan 15, 2025

I found a very old similar issue: #837

@bkontur bkontur marked this as a duplicate of #837 Jan 15, 2025
This was referenced Jan 15, 2025
Closed
Merged
This was linked to pull requests Jan 21, 2025
[Snowbridge]: Ensure source always from AH for exported message #6838
Draft
XCM: Deny barrier checks for nested XCMs with specific instructions to be executed on the local chain #7200
Merged
xcm: fix for DenyThenTry Barrier #7169
Merged
@raymondkfcheung raymondkfcheung mentioned this issue Jan 27, 2025
Merged
2 tasks
github-merge-queue bot pushed a commit that referenced this issue Jan 27, 2025
@yrong @bkontur
@franciscoaguirre @claravanstaden @acatangiu
xcm: fix for DenyThenTry Barrier (#7169)
b30aa31 
Resolves (partially):
#7148 (see _Problem 1 -
`ShouldExecute` tuple implementation and `Deny` filter tuple_)

This PR changes the behavior of `DenyThenTry` from the pattern
`DenyIfAllMatch` to `DenyIfAnyMatch` for the tuple.

I would expect the latter is the right behavior so make the fix in
place, but we can also add a dedicated Impl with the legacy one
untouched.

## TODO
- [x] add unit-test for `DenyReserveTransferToRelayChain`
- [x] add test and investigate/check `DenyThenTry` as discussed
[here](#6838 (comment))
and update documentation if needed

---------

Co-authored-by: Branislav Kontur <[email protected]>
Co-authored-by: Francisco Aguirre <[email protected]>
Co-authored-by: command-bot <>
Co-authored-by: Clara van Staden <[email protected]>
Co-authored-by: Adrian Catangiu <[email protected]>
@github-project-automation github-project-automation bot moved this from Todo to Done in Bridges + XCM Jan 27, 2025
@bkontur bkontur reopened this Jan 28, 2025
raymondkfcheung added a commit that referenced this issue Jan 31, 2025
@raymondkfcheung @yrong
@bkontur @franciscoaguirre @claravanstaden @acatangiu @github-actions
poc(XCM): Deny Nested XCM Barriers (#7351)
df64f5f 
Resolves (partially): #7148
Depends on: #7169, #7200

# Description

For context and additional information, please refer to #7148 and #7200.

# TODOs

* [x] Rebase #7169 and #7200
* [x] Evaluate PoC described on #7200 

| POC | Top-Level Denial | Nested Denial | Try `Allow` | Remark |

|--------------------------------|--------------------|--------------------|--------------------|----------------------------------------------------------------------------------|
| `DenyThenTry` | ✅ | ❌ | ✅ | Blocks
top-level instructions only. |
| `RecursiveDenyThenTry` | ✅ | ✅ |
✅ | Blocks both top-level and nested instructions. |
| `DenyInstructionsWithXcm` | ❌ | ✅ | ❌ | Focuses
on nested instructions, requires additional checks for top-level denial.
|
| `DenyFirstInstructionsWithXcm` | ✅ |
✅ | ❌ | Prioritises top-level denial before recursive
checks. |

---------

Co-authored-by: ron <[email protected]>
Co-authored-by: Branislav Kontur <[email protected]>
Co-authored-by: Francisco Aguirre <[email protected]>
Co-authored-by: command-bot <>
Co-authored-by: Clara van Staden <[email protected]>
Co-authored-by: Adrian Catangiu <[email protected]>
Co-authored-by: cmd[bot] <41898282+github-actions[bot]@users.noreply.github.com>
github-merge-queue bot pushed a commit that referenced this issue Feb 19, 2025
@bkontur @raymondkfcheung
@github-actions @yrong @franciscoaguirre @claravanstaden @acatangiu
XCM: Deny barrier checks for nested XCMs with specific instructions t…
bd7cf11 
…o be executed on the local chain (#7200)

Resolves (partially):
#7148
Depends on: #7169

# Description

This PR addresses partially #7148 (Problem 2) and ensures the proper
checking of nested local instructions. It introduces a new barrier -
`DenyRecursively` - to provide more refined control over instruction
denial. The main change is the replacement of `DenyThenTry<Deny, Allow>`
with `DenyThenTry<DenyRecursively<Deny>, Allow>` which handles both
top-level and nested local instructions by applying allow condition
after denial.

For context and additional information, please refer to [_Problem 2 -
Barrier vs nested XCM
validation_](#7148).

# TODO
- [x] Evaluate PoC, more details at #7351:
    - **DenyNestedXcmInstructions**: Keep it as it is and be explicit:
        1. Name the Deny barriers for the top level.
2. Name the Deny barrier for nested with `DenyInstructionsWithXcm`.
- **DenyThenTry<DenyInstructionsWithXcm<Deny>, Allow>**: Alternatively,
hard-code those three instructions in `DenyThenTry`, so we wouldn’t need
`DenyInstructionsWithXcm`. However, this approach wouldn’t be as
general.
- **DenyInstructionsWithXcmFor**: Another possibility is to check
`DenyInstructionsWithXcm::Inner` for the actual `message`, so we don’t
need duplication for top-level and nested (not sure, maybe be explicit
is good thing) - see _Problem2 - example_. Instead of this:
   ```
  DenyThenTry<
                (
                               // Deny for top level XCM program 
                               DenyReserveTransferToRelayChain,
// Dedicated barrier for nested XCM programs
                               DenyInstructionsWithXcmFor<
// Repeat all Deny filters here
DenyReserveTransferToRelayChain,
                                >
                ),
   ```
  we could just use:
   ```
  DenyThenTry<
                (
                               // Dedicated barrier for XCM programs
                               DenyInstructionsWithXcmFor<
// Add all `Deny` filters here
DenyReserveTransferToRelayChain,
                                                ...
                                >
                ),
   ```
- [POC
Evaluation](#7200 (comment))
- [x] Consider better name `DenyInstructionsWithXcm` =>
`DenyRecursively`, more details at
[here](#7200 (comment))
- [x] Clean-up and docs
- [x] Merge #7169 or
rebase this branch on the top of `yrong:fix-for-deny-then-try`
- [x] Set for the runtimes where we use `DenyThenTry<Deny, Allow>` =>
`DenyThenTry<DenyRecursively<Deny>, Allow>`
- [ ] Schedule sec.audit

---------

Co-authored-by: Raymond Cheung <[email protected]>
Co-authored-by: cmd[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: ron <[email protected]>
Co-authored-by: Francisco Aguirre <[email protected]>
Co-authored-by: Clara van Staden <[email protected]>
Co-authored-by: Adrian Catangiu <[email protected]>
github-actions bot pushed a commit that referenced this issue Mar 3, 2025
@bkontur @github-actions
XCM: Deny barrier checks for nested XCMs with specific instructions t…
79233b3 
…o be executed on the local chain (#7200)

Resolves (partially):
#7148
Depends on: #7169

# Description

This PR addresses partially #7148 (Problem 2) and ensures the proper
checking of nested local instructions. It introduces a new barrier -
`DenyRecursively` - to provide more refined control over instruction
denial. The main change is the replacement of `DenyThenTry<Deny, Allow>`
with `DenyThenTry<DenyRecursively<Deny>, Allow>` which handles both
top-level and nested local instructions by applying allow condition
after denial.

For context and additional information, please refer to [_Problem 2 -
Barrier vs nested XCM
validation_](#7148).

# TODO
- [x] Evaluate PoC, more details at #7351:
    - **DenyNestedXcmInstructions**: Keep it as it is and be explicit:
        1. Name the Deny barriers for the top level.
2. Name the Deny barrier for nested with `DenyInstructionsWithXcm`.
- **DenyThenTry<DenyInstructionsWithXcm<Deny>, Allow>**: Alternatively,
hard-code those three instructions in `DenyThenTry`, so we wouldn’t need
`DenyInstructionsWithXcm`. However, this approach wouldn’t be as
general.
- **DenyInstructionsWithXcmFor**: Another possibility is to check
`DenyInstructionsWithXcm::Inner` for the actual `message`, so we don’t
need duplication for top-level and nested (not sure, maybe be explicit
is good thing) - see _Problem2 - example_. Instead of this:
   ```
  DenyThenTry<
                (
                               // Deny for top level XCM program
                               DenyReserveTransferToRelayChain,
// Dedicated barrier for nested XCM programs
                               DenyInstructionsWithXcmFor<
// Repeat all Deny filters here
DenyReserveTransferToRelayChain,
                                >
                ),
   ```
  we could just use:
   ```
  DenyThenTry<
                (
                               // Dedicated barrier for XCM programs
                               DenyInstructionsWithXcmFor<
// Add all `Deny` filters here
DenyReserveTransferToRelayChain,
                                                ...
                                >
                ),
   ```
- [POC
Evaluation](#7200 (comment))
- [x] Consider better name `DenyInstructionsWithXcm` =>
`DenyRecursively`, more details at
[here](#7200 (comment))
- [x] Clean-up and docs
- [x] Merge #7169 or
rebase this branch on the top of `yrong:fix-for-deny-then-try`
- [x] Set for the runtimes where we use `DenyThenTry<Deny, Allow>` =>
`DenyThenTry<DenyRecursively<Deny>, Allow>`
- [ ] Schedule sec.audit

---------

Co-authored-by: Raymond Cheung <[email protected]>
Co-authored-by: cmd[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: ron <[email protected]>
Co-authored-by: Francisco Aguirre <[email protected]>
Co-authored-by: Clara van Staden <[email protected]>
Co-authored-by: Adrian Catangiu <[email protected]>
(cherry picked from commit bd7cf11)
@bkontur bkontur moved this to Done in @bkontur's board Mar 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@raymondkfcheung raymondkfcheung

Labels
C1-mentor A task where a mentor is available. Please indicate in the issue who the mentor could be. T6-XCM This PR/Issue is related to XCM.
Projects
@bkontur's board
Status: Done
Bridges + XCM
Status: Done
Milestone
No milestone
3 participants
@yrong @bkontur @raymondkfcheung