Skip to content

Latest commit

 

History

History

set-contract-storage

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 

Set Contract Storage

What it does

Checks for calls to env::set_contract_storage.

Why is this bad?

Functions using keys as variables without proper access control or input sanitation can allow users to perform changes in arbitrary memory locations.

Known problems

Only check the function call, so false positives could result.

Example

fn set_contract_storage(
    &mut self,
    user_input_key: [u8; 68],
    user_input_data: u128,
) -> Result<()> {
    env::set_contract_storage(&user_input_key, &user_input_data);
    Ok(())
}

Use instead:

fn set_contract_storage(
    &mut self,
    user_input_key: [u8; 68],
    user_input_data: u128,
) -> Result<()> {
    if self.env().caller() == self.owner {
        env::set_contract_storage(&user_input_key, &user_input_data);
        Ok(())
    } else {
        Err(Error::UserNotOwner)
    }
}