Problem: staked token is not undelegated from blacklisted account#156
Problem: staked token is not undelegated from blacklisted account#156mmsqe wants to merge 1 commit into
Conversation
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
| async def test_cosmovisor_upgrade(custom_mantra: Mantra): | ||
| await exec(custom_mantra) | ||
| async def test_cosmovisor_upgrade(custom_mantra: Mantra, tmp_path): | ||
| await exec(custom_mantra, tmp_path) |
There was a problem hiding this comment.
Unsafe Usage of Python exec() Function (CWE-78)
More Details
The exec function in Python allows executing arbitrary code from a string or code object. This presents a severe security risk because an attacker could potentially inject malicious code into the application if the input string is derived from untrusted sources like user input or external data.
Executing arbitrary code can lead to various consequences, such as data theft, system compromise, or even complete takeover of the application. An attacker could leverage this vulnerability to escalate privileges, access sensitive information, or perform other malicious actions on the system.
To mitigate this risk, it is crucial to avoid using the exec function with untrusted input. Instead, consider alternative methods that do not involve executing arbitrary code, such as using safe data parsing techniques or implementing strict input validation and sanitization.
| Attribute | Value |
|---|---|
| Impact | |
| Likelihood |
Remediation
To remediate this issue, remove all calls to exec and consider alternative methods for executing the necessary business logic. There is almost no safe method of calling exec with user-supplied input.
If the application only needs to convert strings into objects, consider using json.loads. In some cases, ast.literal_eval is recommended, but this should be avoided as it can still suffer from other issues such as the ability for malicious code to crash the Python interpreter or application.
Example using json.loads to load arbitrary data to create data structures:
# User supplied data as a blob of JSON
user_supplied_data = """{"user": "test", "metadata": [1,2,3]}"""
# Load the JSON
user_object = json.loads(user_supplied_data)
# Manually add protected properties _after_ loading, never before
user_object["is_admin"] = False
# Work with the objectRule ID: WS-I011-PYTHON-00030
To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason
If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).
To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate
42534ad to
ea5a393
Compare
18ed15b to
32b1832
Compare
1339069 to
c2c003f
Compare
test for MANTRA-Chain/mantrachain#556