Skip to content

Problem: staked token is not undelegated from blacklisted account#156

Draft
mmsqe wants to merge 1 commit into
developfrom
undelegate
Draft

Problem: staked token is not undelegated from blacklisted account#156
mmsqe wants to merge 1 commit into
developfrom
undelegate

Conversation

@mmsqe

@mmsqe mmsqe commented Feb 12, 2026

Copy link
Copy Markdown
Contributor

@coderabbitai

coderabbitai Bot commented Feb 12, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch undelegate

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@mmsqe mmsqe changed the base branch from release/v7 to develop March 23, 2026 02:57
@wiz-7b300e8b42

Copy link
Copy Markdown

Wiz Scan Summary

Scanner Findings
Vulnerability Finding Vulnerabilities -
Data Finding Sensitive Data -
Secret Finding Secrets -
IaC Misconfiguration IaC Misconfigurations -
SAST Finding SAST Findings 1 Medium
Software Management Finding Software Management Findings -
Total 1 Medium

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

async def test_cosmovisor_upgrade(custom_mantra: Mantra):
await exec(custom_mantra)
async def test_cosmovisor_upgrade(custom_mantra: Mantra, tmp_path):
await exec(custom_mantra, tmp_path)

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium SAST Finding

Unsafe Usage of Python exec() Function (CWE-78)

More Details

The exec function in Python allows executing arbitrary code from a string or code object. This presents a severe security risk because an attacker could potentially inject malicious code into the application if the input string is derived from untrusted sources like user input or external data.

Executing arbitrary code can lead to various consequences, such as data theft, system compromise, or even complete takeover of the application. An attacker could leverage this vulnerability to escalate privileges, access sensitive information, or perform other malicious actions on the system.

To mitigate this risk, it is crucial to avoid using the exec function with untrusted input. Instead, consider alternative methods that do not involve executing arbitrary code, such as using safe data parsing techniques or implementing strict input validation and sanitization.

Attribute Value
Impact Medium
Likelihood Medium

Remediation

To remediate this issue, remove all calls to exec and consider alternative methods for executing the necessary business logic. There is almost no safe method of calling exec with user-supplied input.

If the application only needs to convert strings into objects, consider using json.loads. In some cases, ast.literal_eval is recommended, but this should be avoided as it can still suffer from other issues such as the ability for malicious code to crash the Python interpreter or application.

Example using json.loads to load arbitrary data to create data structures:

# User supplied data as a blob of JSON
user_supplied_data = """{"user": "test", "metadata": [1,2,3]}"""
# Load the JSON
user_object = json.loads(user_supplied_data)
# Manually add protected properties _after_ loading, never before
user_object["is_admin"] = False
# Work with the object

Rule ID: WS-I011-PYTHON-00030


To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).


To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

@mmsqe mmsqe force-pushed the develop branch 3 times, most recently from 42534ad to ea5a393 Compare April 23, 2026 06:58
@mmsqe mmsqe force-pushed the develop branch 3 times, most recently from 18ed15b to 32b1832 Compare May 5, 2026 03:50
@mmsqe mmsqe force-pushed the develop branch 3 times, most recently from 1339069 to c2c003f Compare May 13, 2026 01:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant