chore: refactor permission rules and add additional validation#7844
Open
jeffsmale90 wants to merge 8 commits intomainfrom
Open
chore: refactor permission rules and add additional validation#7844jeffsmale90 wants to merge 8 commits intomainfrom
jeffsmale90 wants to merge 8 commits intomainfrom
Conversation
jeffsmale90
changed the title
jeffsmale90
force-pushed
the
chore/gator_permissions_decoding_adversarial_tests
branch
from
4cd5553 to
df72ecd
Compare
jeffsmale90
changed the title
jeffsmale90
force-pushed
the
chore/gator_permissions_decoding_adversarial_tests
branch
2 times, most recently
from
1bc5acb to
a9450f5
Compare
…ion to ensure that permission data invariants are not violated.
…ype is self-describing and can be more easily tested in isolation. Add validation and test coverage for each permission type.
Plus minor changes: - Remove redundant amendment to ChecksumCaveat type - Remove unused ValidateDecodedPermission type - Fixes controller tests that expected the controller to self-report GatorPermissionsSnap id - Make decode functions internal, and rename to align with public interface
jeffsmale90
force-pushed
the
chore/gator_permissions_decoding_adversarial_tests
branch
from
a9450f5 to
8700f23
Compare
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
packages/gator-permissions-controller/src/decodePermission/rules/erc20TokenPeriodic.test.ts
Show resolved
Hide resolved
…e ChecksumEnforcersByChainId type rather than explicitly declaring a new type
jeffsmale90
force-pushed
the
chore/gator_permissions_decoding_adversarial_tests
branch
from
52df231 to
e1cb91e
Compare
mj-kiwi
reviewed
Mar 3, 2026
| const startTime = hexToNumber(startTimeRaw); | ||
| const initialAmountBigInt = hexToBigInt(initialAmount); | ||
| const maxAmountBigInt = hexToBigInt(maxAmount); | ||
|
|
There was a problem hiding this comment.
Should we also add an amountPerSecond check here, similar to how it’s handled in native-token-stream ?
mj-kiwi
reviewed
Mar 3, 2026
| }); | ||
|
|
||
| it('rejects when startTime is 0', () => { | ||
| const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddddd' as Hex; |
There was a problem hiding this comment.
I think the valid 20-byte addresses should be 40 hex chars.
Suggested change
| const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddddd' as Hex; | |
| const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddd' as Hex; |
mj-kiwi
reviewed
Mar 3, 2026
| }); | ||
|
|
||
| it('rejects when startTime is 0', () => { | ||
| const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddddd' as Hex; |
There was a problem hiding this comment.
Suggested change
| const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddddd' as Hex; | |
| const tokenAddress = '0xdddddddddddddddddddddddddddddddddddddd' as Hex; |
Contributor
Author
There was a problem hiding this comment.
Lol, I counted those ds very carefully!
mj-kiwi
reviewed
Mar 3, 2026
Comment on lines
+82
to
+101
| const [periodAmount, periodDurationRaw, startTimeRaw] = splitHex( | ||
| terms, | ||
| [32, 32, 32], | ||
| ); | ||
| const periodDuration = hexToNumber(periodDurationRaw); | ||
| const startTime = hexToNumber(startTimeRaw); | ||
|
|
||
| if (periodDuration <= 0) { | ||
| throw new Error( | ||
| 'Invalid native-token-periodic terms: periodDuration must be a positive number', | ||
| ); | ||
| } | ||
|
|
||
| if (startTime <= 0) { | ||
| throw new Error( | ||
| 'Invalid native-token-periodic terms: startTime must be a positive number', | ||
| ); | ||
| } | ||
|
|
||
| return { periodAmount, periodDuration, startTime }; |
There was a problem hiding this comment.
should we add periodAmount > 0 check here?
mj-kiwi
reviewed
Mar 3, 2026
| splitHex(terms, [20, 32, 32, 32]); | ||
| const periodDuration = hexToNumber(periodDurationRaw); | ||
| const startTime = hexToNumber(startTimeRaw); | ||
|
|
There was a problem hiding this comment.
should we add periodAmount > 0 check here?
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
It's critical that the
GatorPermissionController's Permission decoding logic is strict, and will not decode EIP-712 payload to a permission unless the payload exactly meets the expectations of that permission.This PR refactors the permission rules to be more self contained, and self describing. This allows each permission type's decoding rules to be more thoroughly tested in isolation. Validation and decoding logic is combined, as decoding is an implicit part of the validation step.
This PR also adds explicit validation of the "implicit" caveats for each permission type (
valueLtefor ERC20 permissions,exactCalldatafor native token permissions), where previously we were ensuring that they caveats exist, but not validating their terms.References
Checklist
Note
Medium Risk
Refactors core permission decoding/validation logic, which can cause previously accepted delegations to fail decoding if their caveat terms are malformed or slightly non-conforming. While largely additive hardening with extensive new tests, it touches security-sensitive permission interpretation paths.
Overview
Permission decoding is refactored to be rule-driven and stricter.
GatorPermissionsController.decodePermissionFromPermissionContextForOriginnow builds per-chain permission rules, selects the single matching rule by caveat/enforcer addresses (findRuleWithMatchingCaveatAddresses), and validates+decodes terms viavalidateAndDecodePermission, failing decoding on any invalid terms.Adds per-permission validation/decoding rules with expanded test coverage. Introduces
createPermissionRulesForContractsand rule modules for each supported permission type (native/erc20 stream/periodic and erc20 revocation), adding explicit validation for “implicit” caveats (ExactCalldataEnforcermust be0x,ValueLteEnforcermust be zero/32-bytes) plus stricter term length/field checks; replaces the olderidentifyPermissionByEnforcers/getPermissionDataAndExpiryapproach and updates/expands tests accordingly.Written by Cursor Bugbot for commit f956a28. This will update automatically on new commits. Configure here.