diff --git a/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt b/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt index 9d0b745bf7..a3465f4bf3 100644 --- a/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt +++ b/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt @@ -4,6 +4,7 @@ import net.corda.core.DoNotImplement import net.corda.core.contracts.AlwaysAcceptAttachmentConstraint.isSatisfiedBy import net.corda.core.crypto.SecureHash import net.corda.core.internal.AttachmentWithContext +import net.corda.core.internal.isUploaderTrusted import net.corda.core.serialization.CordaSerializable /** Constrain which contract-code-containing attachment can be used with a [ContractState]. */ @@ -19,9 +20,17 @@ object AlwaysAcceptAttachmentConstraint : AttachmentConstraint { override fun isSatisfiedBy(attachment: Attachment) = true } -/** An [AttachmentConstraint] that verifies by hash */ +/** + * An [AttachmentConstraint] that verifies by hash. + * The state protected by this constraint can only be used in a transaction created with that version of the jar. + * And a receiving node will only accept it if a cordapp with that hash has (is) been deployed on the node. + */ data class HashAttachmentConstraint(val attachmentId: SecureHash) : AttachmentConstraint { - override fun isSatisfiedBy(attachment: Attachment) = attachment.id == attachmentId + override fun isSatisfiedBy(attachment: Attachment): Boolean { + return if (attachment is AttachmentWithContext) { + attachment.id == attachmentId && isUploaderTrusted(attachment.contractAttachment.uploader) + } else false + } } /** diff --git a/core/src/main/kotlin/net/corda/core/internal/AbstractAttachment.kt b/core/src/main/kotlin/net/corda/core/internal/AbstractAttachment.kt index adbc815537..6281f79795 100644 --- a/core/src/main/kotlin/net/corda/core/internal/AbstractAttachment.kt +++ b/core/src/main/kotlin/net/corda/core/internal/AbstractAttachment.kt @@ -20,6 +20,9 @@ const val TEST_UPLOADER = "test" const val P2P_UPLOADER = "p2p" const val UNKNOWN_UPLOADER = "unknown" +fun isUploaderTrusted(uploader: String?) = + uploader?.let { it in listOf(DEPLOYED_CORDAPP_UPLOADER, RPC_UPLOADER, TEST_UPLOADER) } ?: false + abstract class AbstractAttachment(dataLoader: () -> ByteArray) : Attachment { companion object { fun SerializeAsTokenContext.attachmentDataLoader(id: SecureHash): () -> ByteArray { diff --git a/node-api/src/main/kotlin/net/corda/nodeapi/internal/AttachmentsClassLoader.kt b/node-api/src/main/kotlin/net/corda/nodeapi/internal/AttachmentsClassLoader.kt index a499bbfc1b..6117670407 100644 --- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/AttachmentsClassLoader.kt +++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/AttachmentsClassLoader.kt @@ -3,7 +3,7 @@ package net.corda.nodeapi.internal import net.corda.core.contracts.Attachment import net.corda.core.contracts.ContractAttachment import net.corda.core.crypto.SecureHash -import net.corda.core.internal.DEPLOYED_CORDAPP_UPLOADER +import net.corda.core.internal.isUploaderTrusted import net.corda.core.serialization.CordaSerializable import java.io.ByteArrayInputStream import java.io.ByteArrayOutputStream @@ -33,7 +33,7 @@ class AttachmentsClassLoader(attachments: List, parent: ClassLoader } init { - require(attachments.mapNotNull { it as? ContractAttachment }.none { it.uploader != DEPLOYED_CORDAPP_UPLOADER }) { + require(attachments.mapNotNull { it as? ContractAttachment }.all { isUploaderTrusted(it.uploader) }) { "Attempting to load Contract Attachments downloaded from the network" }