Get spec version directly from file#2710
Conversation
l0r1s
requested review from
JohnReedV,
evgeny-s,
gztensor,
open-junius and
sam0x17
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
| echo "network spec_version: $spec_version" | ||
| : ${spec_version:?bad spec version} | ||
| local_spec_version=$(cargo run -p subtensor-tools --bin spec-version | tr -d '\n') | ||
| local_spec_version=$(sed -n 's/ *spec_version: \([0-9]*\),/\1/p' runtime/src/lib.rs | head -n 1 | tr -d '\n') |
There was a problem hiding this comment.
[HIGH] Textual spec_version extraction is spoofable
This now trusts the first textual spec_version: <n>, match anywhere in runtime/src/lib.rs. A future PR can place an earlier matching token in a cfg-disabled item or macro before the real RuntimeVersion; Rust will still compile/use the real VERSION, but this deploy check will compare the fake value and can pass without an actual runtime spec bump. Keep avoiding cargo run from PR code, but make this parser target exactly one enabled #[sp_version::runtime_version] pub const VERSION block and fail on zero/multiple matches or any ambiguity.
| echo "network spec_version: $spec_version" | ||
| : ${spec_version:?bad spec version} | ||
| local_spec_version=$(cargo run -p subtensor-tools --bin spec-version | tr -d '\n') | ||
| local_spec_version=$(sed -n 's/ *spec_version: \([0-9]*\),/\1/p' runtime/src/lib.rs | head -n 1 | tr -d '\n') |
There was a problem hiding this comment.
[HIGH] Textual spec_version extraction is spoofable
Same issue as the devnet workflow: the first regex hit in runtime/src/lib.rs controls the gate, not necessarily the real VERSION.spec_version. A future PR can add an earlier cfg-disabled or macro-contained spec_version: 999999, line and make this check pass while the deployed runtime version is unchanged. The workflow should extract from a single unambiguous runtime-version declaration and fail closed on ambiguity.
| echo "network spec_version: $spec_version" | ||
| : ${spec_version:?bad spec version} | ||
| local_spec_version=$(cargo run -p subtensor-tools --bin spec-version | tr -d '\n') | ||
| local_spec_version=$(sed -n 's/ *spec_version: \([0-9]*\),/\1/p' runtime/src/lib.rs | head -n 1 | tr -d '\n') |
There was a problem hiding this comment.
[HIGH] Textual spec_version extraction is spoofable
Same issue as the other deploy checks: this accepts the first textual spec_version field in runtime/src/lib.rs. That lets a future PR spoof the CI comparison with an earlier non-runtime token while leaving the actual VERSION.spec_version unchanged. The check needs to fail closed unless it can identify exactly the real runtime VERSION declaration.
🛡️ AI Review — Skeptic (security review)VERDICT: VULNERABLE BASELINE scrutiny: established write-permission contributor with substantial prior subtensor history; branch spec-version -> devnet-ready. No prior Skeptic findings were present. The PR does not modify Findings
ConclusionThe PR removes PR-code execution from the spec-version check, but the replacement parser makes the deploy gate spoofable by future PRs. That is a steady-state CI bypass for the runtime # 🔍 AI Review — Auditor (domain review) has not yet run on this PR. |
|
🔄 AI review updated — Skeptic: VULNERABLE |
2 participants
Summary
spec_versiondirectly fromruntime/src/lib.rsin deploy-check workflows.spec-versionsupport binary and its runtime dependency.