ENT-1564 - add additional uploader check to the HashConstraint (#2845)

2025-01-18 10:46:38 +00:00 · 2018-03-20 10:17:44 +00:00 · 2018-03-20 10:17:44 +00:00 · 1a1cd94161
commit 1a1cd94161
parent 5a05704d7a
3 changed files with 16 additions and 4 deletions
--- a/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt
+++ b/core/src/main/kotlin/net/corda/core/contracts/AttachmentConstraint.kt
@ -4,6 +4,7 @@ import net.corda.core.DoNotImplement
 import net.corda.core.contracts.AlwaysAcceptAttachmentConstraint.isSatisfiedBy
 import net.corda.core.crypto.SecureHash
 import net.corda.core.internal.AttachmentWithContext
+import net.corda.core.internal.isUploaderTrusted
 import net.corda.core.serialization.CordaSerializable

 /** Constrain which contract-code-containing attachment can be used with a [ContractState]. */
@ -19,9 +20,17 @@ object AlwaysAcceptAttachmentConstraint : AttachmentConstraint {
    override fun isSatisfiedBy(attachment: Attachment) = true
 }

-/** An [AttachmentConstraint] that verifies by hash */
+/**
+ * An [AttachmentConstraint] that verifies by hash.
+ * The state protected by this constraint can only be used in a transaction created with that version of the jar.
+ * And a receiving node will only accept it if a cordapp with that hash has (is) been deployed on the node.
+ */
 data class HashAttachmentConstraint(val attachmentId: SecureHash) : AttachmentConstraint {
-    override fun isSatisfiedBy(attachment: Attachment) = attachment.id == attachmentId
+    override fun isSatisfiedBy(attachment: Attachment): Boolean {
+        return if (attachment is AttachmentWithContext) {
+            attachment.id == attachmentId && isUploaderTrusted(attachment.contractAttachment.uploader)
+        } else false
+    }
 }

 /**
--- a/core/src/main/kotlin/net/corda/core/internal/AbstractAttachment.kt
+++ b/core/src/main/kotlin/net/corda/core/internal/AbstractAttachment.kt
@ -20,6 +20,9 @@ const val TEST_UPLOADER = "test"
 const val P2P_UPLOADER = "p2p"
 const val UNKNOWN_UPLOADER = "unknown"

+fun isUploaderTrusted(uploader: String?) =
+        uploader?.let { it in listOf(DEPLOYED_CORDAPP_UPLOADER, RPC_UPLOADER, TEST_UPLOADER) } ?: false
+
 abstract class AbstractAttachment(dataLoader: () -> ByteArray) : Attachment {
    companion object {
        fun SerializeAsTokenContext.attachmentDataLoader(id: SecureHash): () -> ByteArray {
--- a/node-api/src/main/kotlin/net/corda/nodeapi/internal/AttachmentsClassLoader.kt
+++ b/node-api/src/main/kotlin/net/corda/nodeapi/internal/AttachmentsClassLoader.kt
@ -3,7 +3,7 @@ package net.corda.nodeapi.internal
 import net.corda.core.contracts.Attachment
 import net.corda.core.contracts.ContractAttachment
 import net.corda.core.crypto.SecureHash
-import net.corda.core.internal.DEPLOYED_CORDAPP_UPLOADER
+import net.corda.core.internal.isUploaderTrusted
 import net.corda.core.serialization.CordaSerializable
 import java.io.ByteArrayInputStream
 import java.io.ByteArrayOutputStream
@ -33,7 +33,7 @@ class AttachmentsClassLoader(attachments: List<Attachment>, parent: ClassLoader
    }

    init {
-        require(attachments.mapNotNull { it as? ContractAttachment }.none { it.uploader != DEPLOYED_CORDAPP_UPLOADER }) {
+        require(attachments.mapNotNull { it as? ContractAttachment }.all { isUploaderTrusted(it.uploader) }) {
            "Attempting to load Contract Attachments downloaded from the network"
        }