Potential fix for code scanning alert no. 27: Prototype-polluting assignment#42
Open
vNodesV wants to merge 44 commits intovNodesV-patch-1from
Open
Potential fix for code scanning alert no. 27: Prototype-polluting assignment#42vNodesV wants to merge 44 commits intovNodesV-patch-1from
vNodesV wants to merge 44 commits intovNodesV-patch-1from
Conversation
…governance proposal The node failed to start with 'UPGRADE "sdk50" NEEDED at height: 1000' because the on-chain upgrade proposal used the name "sdk50" but the code registered the handler as "v2-sdk50". This name mismatch prevented: 1. The upgrade handler from matching and executing 2. The UpgradeStoreLoader from adding new store keys (Consensus, crisis) 3. The consensus params migration from running (causing "collections: not found" errors) Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
Fix upgrade name mismatch: "v2-sdk50" → "sdk50"
…ion panic During SDK 0.47→0.50 upgrade, bank Migrate3to4 panics with "parameter SendEnabled not registered" because initParamsKeeper created subspaces without WithKeyTable(). Added ParamKeyTable registration for auth, bank, staking, mint, distribution, slashing, gov (v1), and crisis modules. Also added govv1 import. Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
Register legacy ParamKeyTable on module subspaces for SDK 0.50 migration
- Added ibcclienttypes import to app/app.go - Registered IBC client ParamKeyTable in initParamsKeeper - Fixes panic: parameter AllowedClients not registered - Build and install verified successfully Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
…erns - Created IBC_PARAMS_FIX.md with comprehensive issue analysis - Updated jarvis3.0.agent.md with session summary and findings - Added critical params subspace registration pattern to agent directive - Stored memories for IBC client params migration pattern - Documents why WithKeyTable() is required for modules with legacy params Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
- Created SESSION_SDK50_UPGRADE_FIX.md - Complete session summary - Created PARAMS_MIGRATION_TROUBLESHOOTING.md - Quick reference guide - Documents all issues, fixes, patterns, and verification steps - Provides templates and checklists for future troubleshooting - Ready for devnet upgrade testing Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
- Created SDK50_FIX_INDEX.md as central navigation hub - Links to all troubleshooting guides and documentation - Includes statistics, commit history, and quick reference - Provides clear documentation structure and next steps - Session complete: all issues resolved and documented Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
Fix SDK 0.50 upgrade panic: register IBC client params subspace
Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
Fix consensus params migration panic in SDK 0.50 upgrade handler
Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
Remove invalid AddressCodec field assignments from client.Context
Co-authored-by: vNodesV <100853686+vNodesV@users.noreply.github.com>
…rror Configure address codecs in InterfaceRegistry for SDK 0.50 transaction signing
…emoving unnecessary blank lines
…nfig and update NewRootCmd to set prefixes before encoding config creation
… v2.2.1 migration, including Visual Upgrade Status, Complete Migration Guide, Fixes Applied, and Index files. This cleanup eliminates outdated references and prepares the repository for future updates.
Updated project title and description for clarity.
Revise README title and project description
…ignment Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Potential fix for https://github.com/vNodesV/meme/security/code-scanning/27
To fix the problem in general, we must ensure that untrusted strings are not used directly as property names on plain objects when they can be
__proto__,constructor, orprototype. Typical approaches are: (1) reject such keys explicitly, (2) prefix keys with a safe constant, or (3) use aMapor a prototype-less object (viaObject.create(null)) as the backing store.The single best minimal-change fix here is to guard the
QUERYmutation so it refuses to operate ifqueryis one of the dangerous names. This keeps the data structure (state) and all existing use sites intact, and it does not change the format of stored keys, so it won’t break other code that reads fromstate[query]. Concretely, invue/src/store/generated/cosmos/ibc-go/ibc.core.connection.v1/index.ts, insidemutations: { ... QUERY(...) { ... }}, add a small helper to check whetherqueryis"__proto__","constructor", or"prototype", and early-return if so. The guard should be the first statement in theQUERYbody, before any access likestate[query]. No new imports are needed.Suggested fixes powered by Copilot Autofix. Review carefully before merging.