Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: allow getBundleIDFromInstallation to be called with a promise #10304

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

Chris-Hibbert
Copy link
Contributor

refs: #10256

Description

While working on #10256, I noticed that getBundleIDFromInstallation is documented to take an Installation or a promise, it doesn't actually handle a promise. This changes the guard to resolve a promise before proceeding.

Security Considerations

None

Scaling Considerations

None

Documentation Considerations

Make the code match the declaration

Testing Considerations

I didn't.

Upgrade Considerations

This makes the code slightly more liberal. It shouldn't break anything.

Copy link

cloudflare-workers-and-pages bot commented Oct 21, 2024

Deploying agoric-sdk with  Cloudflare Pages  Cloudflare Pages

Latest commit: bf4ba98
Status: ✅  Deploy successful!
Preview URL: https://2ffbfd03.agoric-sdk.pages.dev
Branch Preview URL: https://cth-zoe-getbundleid-promise.agoric-sdk.pages.dev

View logs

@Chris-Hibbert Chris-Hibbert added the Zoe package: Zoe label Oct 21, 2024
@Chris-Hibbert Chris-Hibbert requested a review from dckc October 21, 2024 21:50
@Chris-Hibbert Chris-Hibbert self-assigned this Oct 21, 2024
@Chris-Hibbert Chris-Hibbert requested a review from a team as a code owner October 21, 2024 21:50
@Chris-Hibbert Chris-Hibbert added the automerge:rebase Automatically rebase updates, then merge label Oct 22, 2024
@Chris-Hibbert Chris-Hibbert force-pushed the cth-zoe-getBundleID-promise branch from 0c9e5b5 to bf4ba98 Compare October 22, 2024 18:04
Copy link
Member

@dckc dckc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to check that a risk is acceptable for the benefit.

getBundleIDFromInstallation: M.call(InstallationShape).returns(
getBundleIDFromInstallation: M.callWhen(M.await(InstallationShape)).returns(
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ISTR @dtribble pointing out a security concern where a client can pass a promise and not resolve it, tying up resources in zoe.

Much of the zoe API already accepts promises in this way, so perhaps we have already accepted the risk. But I'd like to be sure.

@warner ? @erights ? thoughts?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
automerge:rebase Automatically rebase updates, then merge Zoe package: Zoe
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants