Skip to content

mock keystone forwarder with deployment scripts #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 1 commit into
base: develop
Choose a base branch
from
Draft

mock keystone forwarder with deployment scripts #239

wants to merge 1 commit into from

Conversation

akhilchainani
Copy link
Contributor

No description provided.

github-advanced-security[bot]
github-advanced-security bot found potential problems Sep 17, 2025
View reviewed changes
verify-sepolia.js
src/v0.8/keystone/MockKeystoneForwarder.sol:MockKeystoneForwarder`;

console.log("\nRunning verification...");
execSync(cmd, { stdio: 'inherit' });

Check warning

Code scanning / CodeQL

Indirect uncontrolled command line Medium

This command depends on an unsanitized
environment variable
Loading
.

Copilot Autofix

AI 7 days ago

The problem can be fixed by avoiding passing a single shell command string to execSync, and instead using an API that invokes a binary directly with list-of-arguments, such as execFileSync. This prevents any shell metacharacter interpretation and so avoids injection. In this case, we replace:

const cmd = `cd contracts && forge verify-contract ...`
execSync(cmd, { stdio: 'inherit' });

with

execFileSync('forge', [...args], { cwd: 'contracts', stdio: 'inherit' });

where args is an array of all the arguments previously included as part of the string, including all flags and parameter values. Arguments are split exactly as would have been split by the shell, except that environment variable interpolation is replaced by direct use.

If the use of cd contracts && ... was simply to change the working directory, the equivalent for execFileSync is to set the third argument's cwd property to contracts.

Thus, the only changes required are:

  • Require execFileSync from child_process (possibly already available as execSync is already imported; add if not).
  • Construct the arguments for the forge verify-contract call as an array.
  • Invoke execFileSync instead of execSync, passing in 'forge' and the argument array, with { cwd: 'contracts', stdio: 'inherit' }.

No new dependencies are needed.

Suggested changeset 1
verify-sepolia.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/verify-sepolia.js b/verify-sepolia.js
--- a/verify-sepolia.js
+++ b/verify-sepolia.js
@@ -1,5 +1,5 @@
 const fs = require("fs");
-const { execSync } = require("child_process");
+const { execSync, execFileSync } = require("child_process");
 
 // Try to load dotenv if available
 try {
@@ -44,16 +44,18 @@
     console.log("\nWaiting 3 seconds to avoid rate limit...");
     await new Promise(resolve => setTimeout(resolve, 3000));
     
-    const cmd = `cd contracts && forge verify-contract \
-      --chain sepolia \
-      --etherscan-api-key ${process.env.ETHERSCAN_API_KEY} \
-      --watch \
-      --retry 3 \
-      ${contractAddress} \
-      src/v0.8/keystone/MockKeystoneForwarder.sol:MockKeystoneForwarder`;
+    const forgeArgs = [
+      'verify-contract',
+      '--chain', 'sepolia',
+      '--etherscan-api-key', process.env.ETHERSCAN_API_KEY,
+      '--watch',
+      '--retry', '3',
+      contractAddress,
+      'src/v0.8/keystone/MockKeystoneForwarder.sol:MockKeystoneForwarder'
+    ];
 
     console.log("\nRunning verification...");
-    execSync(cmd, { stdio: 'inherit' });
+    execFileSync('forge', forgeArgs, { cwd: 'contracts', stdio: 'inherit' });
     
     console.log("\n✅ Contract verified successfully!");
     console.log(`View on Sepolia Etherscan: https://sepolia.etherscan.io/address/${contractAddress}#code`);
EOF
@@ -1,5 +1,5 @@
const fs = require("fs");
const { execSync } = require("child_process");
const { execSync, execFileSync } = require("child_process");

// Try to load dotenv if available
try {
@@ -44,16 +44,18 @@
console.log("\nWaiting 3 seconds to avoid rate limit...");
await new Promise(resolve => setTimeout(resolve, 3000));

const cmd = `cd contracts && forge verify-contract \
--chain sepolia \
--etherscan-api-key ${process.env.ETHERSCAN_API_KEY} \
--watch \
--retry 3 \
${contractAddress} \
src/v0.8/keystone/MockKeystoneForwarder.sol:MockKeystoneForwarder`;
const forgeArgs = [
'verify-contract',
'--chain', 'sepolia',
'--etherscan-api-key', process.env.ETHERSCAN_API_KEY,
'--watch',
'--retry', '3',
contractAddress,
'src/v0.8/keystone/MockKeystoneForwarder.sol:MockKeystoneForwarder'
];

console.log("\nRunning verification...");
execSync(cmd, { stdio: 'inherit' });
execFileSync('forge', forgeArgs, { cwd: 'contracts', stdio: 'inherit' });

console.log("\n✅ Contract verified successfully!");
console.log(`View on Sepolia Etherscan: https://sepolia.etherscan.io/address/${contractAddress}#code`);
Copilot is powered by AI and may make mistakes. Always verify output.
@github-actions GitHub Actions
Copy link
Contributor

Static analysis results are available

Hey @akhilchainani, you can view Slither reports in the job summary here or download them as artifact here.
Please check them before merging and make sure you have addressed all issues.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@akhilchainani