MarketTakers/arbiter
6
0
Fork 0
Code Issues 27 Pull Requests 2 Packages Projects Releases Wiki Activity

security(evm): remove client-controlled wallet_access_id from grant revocation
Some checks failed
ci/woodpecker/pr/server-audit Pipeline failed
Details
ci/woodpecker/pr/server-lint Pipeline was successful
Details
ci/woodpecker/pr/server-vet Pipeline failed
Details
ci/woodpecker/pr/server-test Pipeline was successful
Details

Browse Source
This commit is contained in:
CleverWild
2026-06-09 19:36:44 +02:00
parent 4bb2c062dc
commit 32f317384d
5 changed files with 4 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
protobufs/evm.proto
View File

@@ -90,7 +90,6 @@ message EvmGrantCreateResponse {
message EvmGrantDeleteRequest {
int32 grant_id = 1;
int32 wallet_access_id = 2;
}
message EvmGrantDeleteResponse {

3
server/crates/arbiter-server/src/actors/evm/mod.rs
View File

@@ -161,10 +161,9 @@ impl EvmActor {
pub async fn useragent_delete_grant(
&mut self,
grant_id: i32,
wallet_access_id: i32,
) -> Result<(), Error> {
self.engine
.revoke_grant(grant_id, wallet_access_id)
.revoke_grant(grant_id)
.await
.map_err(Error::from)
}

5
server/crates/arbiter-server/src/actors/user_agent/session/connection.rs
View File

@@ -360,13 +360,12 @@ impl UserAgentSession {
pub(crate) async fn handle_grant_delete(
&mut self,
grant_id: i32,
wallet_access_id: i32,
) -> Result<(), GrantMutationError> {
// match self
// .props
// .actors
// .evm
// .ask(UseragentDeleteGrant { grant_id, wallet_access_id })
// .ask(UseragentDeleteGrant { grant_id })
// .await
// {
// Ok(()) => Ok(()),
@@ -375,7 +374,7 @@ impl UserAgentSession {
// Err(GrantMutationError::Internal)
// }
// }
let _ = (grant_id, wallet_access_id);
let _ = grant_id;
todo!()
}

5
server/crates/arbiter-server/src/evm/mod.rs
View File

@@ -279,7 +279,6 @@ impl Engine {
pub async fn revoke_grant(
&self,
basic_grant_id: i32,
wallet_access_id: i32,
) -> Result<(), DatabaseError> {
let mut conn = self.db.get().await.map_err(DatabaseError::from)?;
let keyholder = self.keyholder.clone();
@@ -294,14 +293,12 @@ impl Engine {
update(evm_basic_grant::table)
.filter(evm_basic_grant::id.eq(basic_grant_id))
.filter(evm_basic_grant::wallet_access_id.eq(wallet_access_id))
.set(evm_basic_grant::revoked_at.eq(SqliteTimestamp(Utc::now())))
.execute(conn)
.await?;
let basic_grant: EvmBasicGrant = evm_basic_grant::table
.filter(evm_basic_grant::id.eq(basic_grant_id))
.filter(evm_basic_grant::wallet_access_id.eq(wallet_access_id))
.select(EvmBasicGrant::as_select())
.first(conn)
.await?;
@@ -805,7 +802,7 @@ mod tests {
.await
.unwrap();
engine.revoke_grant(grant_id, WALLET_ACCESS_ID).await.unwrap();
engine.revoke_grant(grant_id).await.unwrap();
let mut conn = db.get().await.unwrap();
diesel::update(evm_basic_grant::table)

1
server/crates/arbiter-server/src/grpc/user_agent/evm.rs
View File

@@ -170,7 +170,6 @@ async fn handle_grant_delete(
let result = match actor
.ask(HandleGrantDelete {
grant_id: req.grant_id,
wallet_access_id: req.wallet_access_id,
})
.await
{