input validation 3

.circleci/config.yml

@@ -7,7 +7,7 @@ jobs:
   # All checks on the codebase that can run in parallel to build_shared_library
   libwasmvm_sanity:
     docker:
-      - image: cimg/rust:1.81.0
+      - image: cimg/rust:1.86.0
     steps:
       - checkout
       - run:
@@ -18,8 +18,8 @@ jobs:
           command: rustup component add rustfmt
       - restore_cache:
           keys:
-            - cargocache-v3-libwasmvm_sanity-rust:1.81.0-{{ checksum "libwasmvm/Cargo.lock" }}
-            - cargocache-v3-libwasmvm_sanity-rust:1.81.0-
+            - cargocache-v3-libwasmvm_sanity-rust:1.86.0-{{ checksum "libwasmvm/Cargo.lock" }}
+            - cargocache-v3-libwasmvm_sanity-rust:1.86.0-
       - run:
           name: Ensure libwasmvm/bindings.h is up-to-date
           working_directory: libwasmvm
@@ -62,7 +62,7 @@ jobs:
             - libwasmvm/target/release/.fingerprint
             - libwasmvm/target/release/build
             - libwasmvm/target/release/deps
-          key: cargocache-v3-libwasmvm_sanity-rust:1.81.0-{{ checksum "libwasmvm/Cargo.lock" }}
+          key: cargocache-v3-libwasmvm_sanity-rust:1.86.0-{{ checksum "libwasmvm/Cargo.lock" }}
 
   libwasmvm_clippy:
     parameters:
@@ -113,15 +113,15 @@ jobs:
           command: |
             set -o errexit
             curl -sS --output rustup-init.exe https://static.rust-lang.org/rustup/dist/x86_64-pc-windows-msvc/rustup-init.exe
-            ./rustup-init.exe --no-modify-path --profile minimal --default-toolchain 1.81.0 -y
+            ./rustup-init.exe --no-modify-path --profile minimal --default-toolchain 1.86.0 -y
             echo 'export PATH="$PATH;$USERPROFILE/.cargo/bin"' >> "$BASH_ENV"
       - run:
           name: Show Rust version information
           command: rustc --version; cargo --version; rustup --version
       - restore_cache:
           keys:
-            - cachev4-libwasmvm_sanity_windows-rust:1.81.0-{{ checksum "libwasmvm/Cargo.lock" }}
-            - cachev4-libwasmvm_sanity_windows-rust:1.81.0-
+            - cachev4-libwasmvm_sanity_windows-rust:1.86.0-{{ checksum "libwasmvm/Cargo.lock" }}
+            - cachev4-libwasmvm_sanity_windows-rust:1.86.0-
       - run:
           name: Run unit tests
           working_directory: libwasmvm
@@ -133,13 +133,13 @@ jobs:
             - libwasmvm/target/debug/.fingerprint
             - libwasmvm/target/debug/build
             - libwasmvm/target/debug/deps
-          key: cachev4-libwasmvm_sanity_windows-rust:1.81.0-{{ checksum "libwasmvm/Cargo.lock" }}
+          key: cachev4-libwasmvm_sanity_windows-rust:1.86.0-{{ checksum "libwasmvm/Cargo.lock" }}
 
   libwasmvm_audit:
     docker:
       # The audit tool might use a more modern Rust version than the build jobs. See
       # "Tooling Rust compiler" in docs/COMPILER_VERSIONS.md
-      - image: cimg/rust:1.81.0
+      - image: cimg/rust:1.86.0
     steps:
       - checkout
       - run:
@@ -152,8 +152,8 @@ jobs:
           command: rustc --version; cargo --version; rustup --version
       - restore_cache:
           keys:
-            - v3-libwasmvm_audit-rust:1.81.0-{{ checksum "libwasmvm/Cargo.lock" }}
-            - v3-libwasmvm_audit-rust:1.81.0-
+            - v3-libwasmvm_audit-rust:1.86.0-{{ checksum "libwasmvm/Cargo.lock" }}
+            - v3-libwasmvm_audit-rust:1.86.0-
       - run:
           name: Install cargo-audit
           command: cargo install --debug cargo-audit --version 0.21.0 --locked
@@ -164,7 +164,7 @@ jobs:
       - save_cache:
           paths:
             - ~/.cargo/registry
-          key: v3-libwasmvm_audit-rust:1.81.0-{{ checksum "libwasmvm/Cargo.lock" }}
+          key: v3-libwasmvm_audit-rust:1.86.0-{{ checksum "libwasmvm/Cargo.lock" }}
 
   format-go:
     docker:
@@ -294,7 +294,7 @@ jobs:
             - libwasmvm/target/release/.fingerprint
             - libwasmvm/target/release/build
             - libwasmvm/target/release/deps
-          key: cargocache-v3-build_shared_library-rust:1.81.0-{{ checksum "libwasmvm/Cargo.lock" }}
+          key: cargocache-v3-build_shared_library-rust:1.86.0-{{ checksum "libwasmvm/Cargo.lock" }}
 
   # Test the Go project and run benchmarks
   wasmvm_test:
@@ -456,7 +456,7 @@ workflows:
           matrix:
             parameters:
               # Run with MSRV and some modern stable Rust
-              rust-version: ["1.81.0", "1.82.0"]
+              rust-version: ["1.86.0", "1.86.0"]
       - libwasmvm_audit
       - format-go
       - wasmvm_no_cgo

.cursor/rules/project-description.mdc

@@ -0,0 +1,6 @@
+---
+description: 
+globs: 
+alwaysApply: true
+---
+This project is written in go, c and rust, and it serves as the interop layer between cosmwasm's vm and cosmos blockchains written in go.  Please be attentive to the multi-lingual nature of the project when working with it.

.github/workflows/bat.yml

@@ -0,0 +1,27 @@
+on: [push, pull_request]
+name: Test
+jobs:
+  test:
+    strategy:
+      matrix:
+        go-version: [1.24.x]
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+      - run: make test
+  build:
+    strategy:
+      matrix:
+        go-version: [1.24.x]
+        os: [ubuntu-latest, macos-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
+        with:
+          go-version: ${{ matrix.go-version }}
+      - run: make build

.github/workflows/cargo-audit.yml

@@ -0,0 +1,38 @@
+name: Cargo Audit
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - ".github/workflows/cargo-audit.yml"
+  pull_request:
+    paths:
+      - "**/Cargo.toml"
+      - "**/Cargo.lock"
+      - ".github/workflows/cargo-audit.yml"
+  schedule:
+    - cron: "0 0 * * 0" # Run weekly on Sundays at midnight
+
+jobs:
+  cargo-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@stable
+
+      - name: Install cargo-audit
+        run: cargo install cargo-audit
+
+      - name: Run cargo audit
+        working-directory: ./libwasmvm
+        run: cargo audit
+        continue-on-error: ${{ github.event_name == 'schedule' }} # Don't fail scheduled runs
+
+      - name: Run cargo audit with ignore unmaintained
+        working-directory: ./libwasmvm
+        run: cargo audit --ignore RUSTSEC-2024-0436 --ignore RUSTSEC-2024-0370
+        # These are the unmaintained crates we're already tracking in deny.toml

.github/workflows/lint-go.yml

@@ -20,7 +20,7 @@ jobs:
       - uses: actions/checkout@v4
       - uses: actions/setup-go@v5
         with:
-          go-version: "1.23.4"
+          go-version: "1.24"
           cache: false
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v7

Makefile

@@ -61,7 +61,7 @@ build-go:
 .PHONY: test
 test:
 	# Use package list mode to include all subdirectores. The -count=1 turns off caching.
-	RUST_BACKTRACE=1 go test -v -count=1 ./...
+	CGO_ENABLED=1 RUST_BACKTRACE=1 go test -v -count=1 ./...
 
 .PHONY: test-safety
 test-safety:

go.mod

@@ -3,6 +3,7 @@ module github.com/CosmWasm/wasmvm/v3
 go 1.22
 
 require (
+	github.com/CosmWasm/wasmvm/v2 v2.2.3
 	github.com/google/btree v1.0.0
 	github.com/shamaton/msgpack/v2 v2.2.0
 	github.com/stretchr/testify v1.8.1
@@ -11,8 +12,8 @@ require (
 
 require (
 	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
+	github.com/kr/text v0.2.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
-	gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15 // indirect
+	github.com/rogpeppe/go-internal v1.9.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,3 +1,5 @@
+github.com/CosmWasm/wasmvm/v2 v2.2.3 h1:LVaAdkCMbgfUTSFOANmp2OOU1rIgz4iylow4SFD/lqs=
+github.com/CosmWasm/wasmvm/v2 v2.2.3/go.mod h1:bMhLQL4Yp9CzJi9A83aR7VO9wockOsSlZbT4ztOl6bg=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
@@ -8,7 +10,6 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=

internal/api/api_test.go

@@ -30,7 +30,7 @@ func TestValidateAddressFailure(t *testing.T) {
 
 	// if the human address is larger than 32 bytes, this will lead to an error in the go side
 	longName := "long123456789012345678901234567890long"
-	msg := []byte(`{"verifier": "` + longName + `", "beneficiary": "bob"}`)
+	msg := []byte(`{"verifier": "` + longName + `", "beneficiary": "` + SafeBech32Address("bob") + `"}`)
 
 	// make sure the call doesn't error, but we get a JSON-encoded error result from ContractResult
 	igasMeter := types.GasMeter(gasMeter)
@@ -41,7 +41,6 @@ func TestValidateAddressFailure(t *testing.T) {
 	require.NoError(t, err)
 
 	// ensure the error message is what we expect
-	require.Nil(t, result.Ok)
-	// with this error
-	require.Equal(t, "Generic error: addr_validate errored: human encoding too long", result.Err)
+	require.NotNil(t, result.Err)
+	require.Contains(t, result.Err, "addr_validate errored: Invalid Bech32 address")
 }