Release 2.2.0
What's Changed
Features
- Verification with Standard JSON Input
- Added support for new chains (295, 7668, 7672, 888, 999, and 7701)
- Implemented a complete Metadata type
- Generate variations of the metadata file in partial match to reach a full match
- Added "Lookup Another" button in Lookup result
- Add server monitoring capabilities to Grafana
- Added GitHub star button
Fixes
- Etherscan metadata variations
- Fix EventManager fails if listeners are not set
- Update h5ai-nginx submodule to the latest version
- Fix how the UI handles non-checksummed addresses
- Reorder the metadata object before generating the variations
- Add test for not alphabetically sorted metadata
- Disable chainId 51 getCreatorTx test
- Re-enable SourcifyEventManager's listeners
- Add a repository link to the create2 verified contracts
- Use checkSupportedChainId instead of checkChainId for contract verification
- Update typescript and typedoc in lib-sourcify
- Handle libraries with call protection
- Add nginx exporter for Prometheus
- Improve the function to sanitize path at storeSources
- Display the create2 repo link only for create2 results
- Fix abitype req. typescript v5+
- Show error on bad Etherscan req
- Change OPTIMISTIC_ETHERSCAN to OPTIMISMSCAN
- Revert accidentally setting sed to gsed
- Fix matchWithCreationTx by decoding the constructor arguments
- Test for paths in metadata containing multiple ../
- Fix linter errors and warnings
Fixed vulnerabilities
Thanks to @Hellobloc for reporting the following vulnerabilities.
Path traversal vulnerability when storing contracts
Summary
When the file path is saved with ../ as prefix, the file is potentially saved in other locations in the repository.
Example
Solution
The solidity compiler collapses all the /../ components in the path, the same algorithm was implemented in Sourcify to fix the path traversal vulnerability.
Malicous creation bytecode bypass the startsWith check in matchWithCreationTx
Summary
The start_with vulnerability enables arbitrary source code verification.
When comparing Creation Code, bytecode comparison is performed using the start_with function. This is designed to facilitate source code validation when constructor arguments are present.
However, relying solely on start_with for source code validation without verifying constructor arguments can introduce risks.
In particular, it is possible to create contract source code without compilation results by utilizing abstract and interface contracts. Such source code can pass the start_with check for any contract bytecode.
Example
https://github.com/Hellobloc/verify/tree/test_start_with
https://repo.staging.sourcify.dev/contracts/partial_match/5/0x5ea1E75790b86C4c5Db5e7c7A1fa14d683D50Cfe/sources/contracts/
Solution
This problem is solved by decoding the rest of the bytecode after startsWith assuming it is the ABI encoded constructor arguments part. If the decoding fails, an error is thrown.
PRs
- Etherscan metadata variations by @kuzdogan in #976
- Fix how the ui handles non-checksummed addresses by @marcocastignoli in #990
- add-chain-999 by @lolieatapple in #993
- Add chain 888 by @lolieatapple in #995
- Verification with Standard JSON Input by @kuzdogan in #980
- Add chain 7668 by @aidan-starke in #1004
- Add chain 7672 by @aidan-starke in #988
- Implement a complete Metadata type by @marcocastignoli in #1001
- Re-enable SourcifyEventManager's listeners by @marcocastignoli in #1003
- Add chain 7701 by @tster in #1005
- Handle libraries with call protection by @marcocastignoli in #1000
- Add chain 295 (Hedera Mainnet) by @svienot in #1009
- Release by @marcocastignoli in #1016
New Contributors
- @lolieatapple made their first contribution in #993
- @aidan-starke made their first contribution in #1004
- @tster made their first contribution in #1005
- @svienot made their first contribution in #1009
Full Changelog: v2.1.1...v2.2.0
