From 9e1adb7926cdbf376a1833e31a04487b9b0e6b83 Mon Sep 17 00:00:00 2001 From: Tommy Johnson Date: Wed, 28 Feb 2024 07:04:57 -0500 Subject: [PATCH] add security information --- Cargo.lock | 204 +++++++++++++-------- SECURITY.md | 31 ++++ programs/spl-token-staking/Cargo.toml | 5 +- programs/spl-token-staking/src/lib.rs | 1 + programs/spl-token-staking/src/security.rs | 18 ++ 5 files changed, 183 insertions(+), 76 deletions(-) create mode 100644 SECURITY.md create mode 100644 programs/spl-token-staking/src/security.rs diff --git a/Cargo.lock b/Cargo.lock index 93c7cab..d78326f 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -78,8 +78,8 @@ checksum = "faa5be5b72abea167f87c868379ba3c2be356bfca9e6f474fd055fa0f7eeb4f2" dependencies = [ "anchor-syn", "anyhow", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "regex", "syn 1.0.109", ] @@ -93,8 +93,8 @@ dependencies = [ "anchor-syn", "anyhow", "bs58 0.5.0", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "rustversion", "syn 1.0.109", ] @@ -106,7 +106,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "59948e7f9ef8144c2aefb3f32a40c5fce2798baeec765ba038389e82301017ef" dependencies = [ "anchor-syn", - "proc-macro2", + "proc-macro2 1.0.66", "syn 1.0.109", ] @@ -117,8 +117,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fc753c9d1c7981cb8948cf7e162fb0f64558999c0413058e2d43df1df5448086" dependencies = [ "anchor-syn", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -130,8 +130,8 @@ checksum = "f38b4e172ba1b52078f53fdc9f11e3dc0668ad27997838a0aad2d148afac8c97" dependencies = [ "anchor-syn", "anyhow", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -143,8 +143,8 @@ checksum = "4eebd21543606ab61e2d83d9da37d24d3886a49f390f9c43a1964735e8c0f0d5" dependencies = [ "anchor-syn", "anyhow", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -156,8 +156,8 @@ checksum = "ec4720d899b3686396cced9508f23dab420f1308344456ec78ef76f98fda42af" dependencies = [ "anchor-syn", "anyhow", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -167,8 +167,8 @@ version = "0.28.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "f495e85480bd96ddeb77b71d499247c7d4e8b501e75ecb234e9ef7ae7bd6552a" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -219,8 +219,8 @@ dependencies = [ "anyhow", "bs58 0.5.0", "heck", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "serde", "serde_json", "sha2 0.10.7", @@ -294,7 +294,7 @@ version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3ed4aa4fe255d0bc6d79373f7e31d2ea147bcf486cba1be5ba7ea85abdb92348" dependencies = [ - "quote", + "quote 1.0.33", "syn 1.0.109", ] @@ -306,8 +306,8 @@ checksum = "7abe79b0e4288889c4574159ab790824d0033b9fdcb2a112a3182fac2e514565" dependencies = [ "num-bigint", "num-traits", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -342,8 +342,8 @@ version = "0.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ae3281bc6d0fd7e549af32b52511e1302185bd688fd3359fa36423346ff682ea" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -508,7 +508,7 @@ dependencies = [ "borsh-derive-internal 0.9.3", "borsh-schema-derive-internal 0.9.3", "proc-macro-crate 0.1.5", - "proc-macro2", + "proc-macro2 1.0.66", "syn 1.0.109", ] @@ -521,7 +521,7 @@ dependencies = [ "borsh-derive-internal 0.10.3", "borsh-schema-derive-internal 0.10.3", "proc-macro-crate 0.1.5", - "proc-macro2", + "proc-macro2 1.0.66", "syn 1.0.109", ] @@ -531,8 +531,8 @@ version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5449c28a7b352f2d1e592a8a28bf139bc71afb0764a14f3c02500935d8c44065" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -542,8 +542,8 @@ version = "0.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "afb438156919598d2c7bad7e1c0adf3d26ed3840dbc010db1a882a65583ca2fb" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -553,8 +553,8 @@ version = "0.9.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cdbd5696d8bfa21d53d9fe39a714a18538bad11492a42d066dbbc395fb1951c0" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -564,8 +564,8 @@ version = "0.10.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "634205cc43f74a1b9046ef87c4540ebda95696ec0f315024860cad7c5b0f5ccd" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -615,8 +615,8 @@ version = "1.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fdde5c9cd29ebd706ce1b35600920a33550e402fc998a2e53ad3b42c3c47a192" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 2.0.29", ] @@ -806,8 +806,8 @@ checksum = "177e3443818124b357d8e76f53be906d60937f0d3a90773a664fa63fa253e621" dependencies = [ "fnv", "ident_case", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "strsim", "syn 2.0.29", ] @@ -819,10 +819,21 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "836a9bbc7ad63342d6d6e7b815ccab164bc77a2d95d84bc3117a8c0d5c98e2d5" dependencies = [ "darling_core", - "quote", + "quote 1.0.33", "syn 2.0.29", ] +[[package]] +name = "default-env" +version = "0.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "f753eb82d29277e79efc625e84aecacfd4851ee50e05a8573a4740239a77bfd3" +dependencies = [ + "proc-macro2 0.4.30", + "quote 0.6.13", + "syn 0.15.44", +] + [[package]] name = "derivation-path" version = "0.2.0" @@ -835,8 +846,8 @@ version = "2.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "fcc3dd5e9e9c0b295d6e1e4d811fb6f157d5ffd784b8d202fc62eac8035a770b" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -1112,8 +1123,8 @@ version = "1.0.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "7eab4c6fd9509fa9c5e6f329363fe47aa77343a5d0b2f82db5a5a2c1e7e3ef6d" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "static_assertions", "syn 1.0.109", ] @@ -1302,7 +1313,7 @@ version = "0.2.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "12989bc45715b0ee91944855130131479f9c772e198a910c3eb0ea327d5bffc3" dependencies = [ - "quote", + "quote 1.0.33", "syn 1.0.109", ] @@ -1312,7 +1323,7 @@ version = "0.3.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "b5a739019e11d93661a64ef5fe108ab17c79b35961e944442ff6efdd460ad01a" dependencies = [ - "quote", + "quote 1.0.33", "syn 1.0.109", ] @@ -1344,8 +1355,8 @@ version = "0.3.3" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "876a53fff98e03a936a674b29568b0e605f06b29372c2489ff4de23f1949743d" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -1403,8 +1414,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dcbff9bc912032c62bf65ef1d5aea88983b420f4f839db1e9b0c281a25c9c799" dependencies = [ "proc-macro-crate 1.3.1", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 1.0.109", ] @@ -1415,8 +1426,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "96667db765a921f7b295ffee8b60472b686a51d4f21c2ee4ffdb94c7013b65a6" dependencies = [ "proc-macro-crate 1.3.1", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 2.0.29", ] @@ -1522,6 +1533,15 @@ dependencies = [ "toml_edit", ] +[[package]] +name = "proc-macro2" +version = "0.4.30" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cf3d2011ab5c909338f7887f4fc896d35932e29146c12c8d01da6b22a80ba759" +dependencies = [ + "unicode-xid", +] + [[package]] name = "proc-macro2" version = "1.0.66" @@ -1540,13 +1560,22 @@ dependencies = [ "percent-encoding", ] +[[package]] +name = "quote" +version = "0.6.13" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6ce23b6b870e8f94f81fb0a363d65d86675884b34a09043c81e5562f11c1f8e1" +dependencies = [ + "proc-macro2 0.4.30", +] + [[package]] name = "quote" version = "1.0.33" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "5267fca4496028628a95160fc423a33e8b2e6af8a5302579e322e4b520293cae" dependencies = [ - "proc-macro2", + "proc-macro2 1.0.66", ] [[package]] @@ -1773,8 +1802,8 @@ version = "1.0.183" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "aafe972d60b0b9bee71a91b92fee2d4fb3c9d7e8f6b179aa99f27203d99a4816" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 2.0.29", ] @@ -1806,8 +1835,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "881b6f881b17d13214e5d494c939ebab463d01264ce1811e9d4ac3a882e7695f" dependencies = [ "darling", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 2.0.29", ] @@ -1872,8 +1901,8 @@ version = "0.0.11" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "63927d22a1e8b74bda98cc6e151fcdf178b7abb0dc6c4f81e0bbf5ffe2fc4ec8" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "shank_macro_impl", "syn 1.0.109", ] @@ -1885,8 +1914,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "40ce03403df682f80f4dc1efafa87a4d0cb89b03726d0565e6364bdca5b9a441" dependencies = [ "anyhow", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "serde", "syn 1.0.109", ] @@ -1952,8 +1981,8 @@ version = "1.16.8" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "09f9a943b7e086970c1f131c82bed6788b788b49c6b3579388f4989cfcfb47db" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "rustc_version", "syn 2.0.29", ] @@ -2084,12 +2113,18 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "0f0d5ec9d1e765173704cbe8ea7d8c8d69a9f879d7e71ae7deb0632f9f0ee429" dependencies = [ "bs58 0.4.0", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "rustversion", "syn 2.0.29", ] +[[package]] +name = "solana-security-txt" +version = "1.1.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "468aa43b7edb1f9b7b7b686d5c3aeb6630dc1708e86e31343499dd5c4d775183" + [[package]] name = "solana-zk-token-sdk" version = "1.16.8" @@ -2184,8 +2219,10 @@ dependencies = [ "anchor-lang", "anchor-spl", "bytemuck", + "default-env", "jet-proto-proc-macros", "mpl-token-metadata", + "solana-security-txt", "static_assertions", "uint", ] @@ -2208,14 +2245,25 @@ version = "2.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6bdef32e8150c2a081110b42772ffe7d7c9032b606bc226c8260fd97e0976601" +[[package]] +name = "syn" +version = "0.15.44" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "9ca4b3b69a77cbe1ffc9e198781b7acb0c7365a883670e8f1c1bc66fba79a5c5" +dependencies = [ + "proc-macro2 0.4.30", + "quote 0.6.13", + "unicode-xid", +] + [[package]] name = "syn" version = "1.0.109" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "72b64191b275b66ffe2469e8af2c1cfe3bafa67b529ead792a6d0160888b4237" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "unicode-ident", ] @@ -2225,8 +2273,8 @@ version = "2.0.29" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "c324c494eba9d92503e6f1ef2e6df781e78f6a7705a0202d9801b198807d518a" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "unicode-ident", ] @@ -2254,8 +2302,8 @@ version = "1.0.47" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "6bb623b56e39ab7dcd4b1b98bb6c8f8d907ed255b18de254088016b27a8ee19b" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 2.0.29", ] @@ -2358,6 +2406,12 @@ version = "1.10.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "1dd624098567895118886609431a7c3b8f516e41d30e0643f03d94592a147e36" +[[package]] +name = "unicode-xid" +version = "0.1.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "fc72304796d0818e357ead4e000d19c9c174ab23dc11093ac919054d20a6a7fc" + [[package]] name = "universal-hash" version = "0.4.1" @@ -2415,8 +2469,8 @@ dependencies = [ "bumpalo", "log", "once_cell", - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 2.0.29", "wasm-bindgen-shared", ] @@ -2427,7 +2481,7 @@ version = "0.2.87" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "dee495e55982a3bd48105a7b947fd2a9b4a8ae3010041b9e0faab3f9cd028f1d" dependencies = [ - "quote", + "quote 1.0.33", "wasm-bindgen-macro-support", ] @@ -2437,8 +2491,8 @@ version = "0.2.87" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "54681b18a46765f095758388f2d0cf16eb8d4169b639ab575a8f5693af210c7b" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 2.0.29", "wasm-bindgen-backend", "wasm-bindgen-shared", @@ -2572,7 +2626,7 @@ version = "1.4.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ce36e65b0d2999d2aafac989fb249189a141aee1f53c612c1f37d72631959f69" dependencies = [ - "proc-macro2", - "quote", + "proc-macro2 1.0.66", + "quote 1.0.33", "syn 2.0.29", ] diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..6591943 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,31 @@ +# Security Policy + +1. [Reporting security problems](#reporting) +1. [Security Bug Bounties](#security-bug-bounties) +1. [Scope](#scope) + +## Reporting + +**DO NOT CREATE A GITHUB ISSUE** to report a security problem. + +Instead please use this [Report a Vulnerability](https://github.com/mithraiclabs/spl-token-staking/security/advisories/new) link. +Provide a helpful title and detailed description of the problem. + +If you haven't done so already, please **enable two-factor auth** in your GitHub account. + +Expect a response as fast as possible in the advisory, typically within 72 hours. + +-- + +If you do not receive a response in the advisory, send an email to +security@psyoptions.io with the full URL of the advisory you have created. DO NOT +include attachments or provide detail sufficient for exploitation regarding the +security issue in this email. **Only provide such details in the advisory**. + +## Security Bug Bounties + +TBD ... todo :) + +## Scope + +- [programs/spl-token-staking](https://github.com/mithraiclabs/spl-token-staking/tree/master/programs/spl-token-staking) \ No newline at end of file diff --git a/programs/spl-token-staking/Cargo.toml b/programs/spl-token-staking/Cargo.toml index db5360a..dfe5ad7 100644 --- a/programs/spl-token-staking/Cargo.toml +++ b/programs/spl-token-staking/Cargo.toml @@ -23,4 +23,7 @@ jet-proc-macros = { version = "1", package = "jet-proto-proc-macros" } static_assertions = "1.1.0" uint = "=0.9.1" -mpl-token-metadata = { version = "=1.13.2" } \ No newline at end of file +mpl-token-metadata = { version = "=1.13.2" } + +solana-security-txt = "1.1.1" +default-env = "0.1.1" diff --git a/programs/spl-token-staking/src/lib.rs b/programs/spl-token-staking/src/lib.rs index d840ecd..a9e0914 100644 --- a/programs/spl-token-staking/src/lib.rs +++ b/programs/spl-token-staking/src/lib.rs @@ -4,6 +4,7 @@ pub mod errors; pub mod instructions; pub mod macros; pub mod math; +pub mod security; pub mod state; use crate::instructions::*; diff --git a/programs/spl-token-staking/src/security.rs b/programs/spl-token-staking/src/security.rs new file mode 100644 index 0000000..947721c --- /dev/null +++ b/programs/spl-token-staking/src/security.rs @@ -0,0 +1,18 @@ +#[cfg(not(feature = "no-entrypoint"))] +use {default_env::default_env, solana_security_txt::security_txt}; + +#[cfg(not(feature = "no-entrypoint"))] +security_txt! { + // Required fields + name: "Armada SPL Token Staking", + project_url: "https://github.com/mithraiclabs/spl-token-staking", + contacts: "link:https://github.com/mithraiclabs/spl-token-staking/security/advisories/new", + policy: "https://github.com/mithraiclabs/spl-token-staking/blob/master/SECURITY.md", + + // Optional Fields + preferred_languages: "en", + source_code: "https://github.com/mithraiclabs/spl-token-staking", + source_revision: default_env!("GIT_SHA", ""), + source_release: default_env!("GIT_REF_NAME", ""), + auditors: "Mad Shield" +} \ No newline at end of file