Merge pull request #7119 from NomicFoundation/popescuoctavian/fsPermissions

build: upgrade to @nomicfoundation/edr v0.12.0-next.4

Author: galargh

.changeset/pretty-dodos-flow.md

@@ -0,0 +1,5 @@
+---
+"hardhat": minor
+---
+
+Upgraded EDR dependency to @nomicfoundation/edr v0.12.0-next.4, which changes the file system permission config interface for Solidity tests to mitigate EVM sandbox escape through cheatcodes.

.github/config/regression-tests.yml

@@ -136,7 +136,7 @@ repositories:
             "maxTestRejects": 1000000
           },
           "fsPermissions": {
-            "read": [
+            "readDirectory": [
               "./out-optimized"
             ]
           },
@@ -230,11 +230,11 @@ repositories:
             "runs": 1000
           },
           "fsPermissions": {
-            "read": [
+            "readDirectory": [
               "./optimized-out",
               "./reference-out"
             ],
-            "write": [
+            "writeFile": [
               "./call-metrics.txt",
               "./mutation-metrics.txt",
               "./assume-metrics.txt",
@@ -357,7 +357,7 @@ repositories:
         "solidityTest": {
           "ffi": true,
           "fsPermissions": {
-            "readWrite": [
+            "dangerouslyReadWriteDirectory": [
               ".forge-snapshots/"
             ]
           }
@@ -420,7 +420,7 @@ repositories:
         "solidityTest": {
           "blockGasLimit": BigInt(100000000),
           "fsPermissions": {
-            "read": [
+            "readDirectory": [
               "./test/data"
             ]
           },
@@ -477,7 +477,7 @@ repositories:
         },
         "solidityTest": {
           "fsPermissions": {
-            "readWrite": [
+            "dangerouslyReadWriteDirectory": [
               "./"
             ]
           },
@@ -603,10 +603,10 @@ repositories:
         "solidityTest": {
           "ffi": true,
           "fsPermissions": {
-            "readWrite": [
+            "dangerouslyReadWriteDirectory": [
               ".forge-snapshots/"
             ],
-            "read": [
+            "readDirectory": [
               "./foundry-out",
               "./script/config",
               "./test/pool-cl/bin",
@@ -692,7 +692,7 @@ repositories:
             "runs": 100
           },
           "fsPermissions": {
-            "readWrite": [
+            "dangerouslyReadWriteDirectory": [
               "./"
             ]
           },
@@ -754,11 +754,13 @@ repositories:
         },
         "solidityTest": {
           "fsPermissions": {
-            "read": [
-              "./out-optimized",
+            "readDirectory": [
+              "./out-optimized"
+            ],
+            "readFile": [
               "package.json"
             ],
-            "readWrite": [
+            "dangerouslyReadWriteDirectory": [
               "./benchmark/results",
               "./script/"
             ]
@@ -871,10 +873,12 @@ repositories:
           "blockTimestamp": BigInt(1714518000),
           "fsPermissions": {
             "read": [
-              "./out-optimized",
+              "./out-optimized"
+            ],
+            "readFile": [
               "package.json"
             ],
-            "readWrite": [
+            "dangerouslyReadWriteDirectory": [
               "./benchmark/results",
               "./cache"
             ]

pnpm-lock.yaml

@@ -86,7 +86,7 @@
     "typescript": "~5.8.0"
   },
   "dependencies": {
-    "@nomicfoundation/edr": "0.12.0-next.3",
+    "@nomicfoundation/edr": "0.12.0-next.4",
     "@nomicfoundation/hardhat-errors": "workspace:^3.0.0-next.26",
     "@nomicfoundation/hardhat-utils": "workspace:^3.0.0-next.26",
     "@nomicfoundation/hardhat-zod-utils": "workspace:^3.0.0-next.26",

v-next/hardhat/package.json

@@ -16,9 +16,12 @@ const solidityTestUserConfigType = z.object({
   timeout: z.number().optional(),
   fsPermissions: z
     .object({
-      readWrite: z.array(z.string()).optional(),
-      read: z.array(z.string()).optional(),
-      write: z.array(z.string()).optional(),
+      readWriteFile: z.array(z.string()).optional(),
+      readFile: z.array(z.string()).optional(),
+      writeFile: z.array(z.string()).optional(),
+      dangerouslyReadWriteDirectory: z.array(z.string()).optional(),
+      readDirectory: z.array(z.string()).optional(),
+      dangerouslyWriteDirectory: z.array(z.string()).optional(),
     })
     .optional(),
   isolate: z.boolean().optional(),

v-next/hardhat/src/internal/builtin-plugins/solidity-test/config.ts

@@ -15,6 +15,7 @@ import {
   l1GenesisState,
   l1HardforkLatest,
   IncludeTraces,
+  FsAccessPermission,
 } from "@nomicfoundation/edr";
 import { hexStringToBytes } from "@nomicfoundation/hardhat-utils/hex";
 
@@ -39,9 +40,30 @@ export function solidityTestConfigToSolidityTestRunnerConfigArgs(
   testPattern?: string,
 ): SolidityTestRunnerConfigArgs {
   const fsPermissions: PathPermission[] | undefined = [
-    config.fsPermissions?.readWrite?.map((p) => ({ access: 0, path: p })) ?? [],
-    config.fsPermissions?.read?.map((p) => ({ access: 0, path: p })) ?? [],
-    config.fsPermissions?.write?.map((p) => ({ access: 0, path: p })) ?? [],
+    config.fsPermissions?.readWriteFile?.map((p) => ({
+      access: FsAccessPermission.ReadWriteFile,
+      path: p,
+    })) ?? [],
+    config.fsPermissions?.readFile?.map((p) => ({
+      access: FsAccessPermission.ReadFile,
+      path: p,
+    })) ?? [],
+    config.fsPermissions?.writeFile?.map((p) => ({
+      access: FsAccessPermission.WriteFile,
+      path: p,
+    })) ?? [],
+    config.fsPermissions?.dangerouslyReadWriteDirectory?.map((p) => ({
+      access: FsAccessPermission.DangerouslyReadWriteDirectory,
+      path: p,
+    })) ?? [],
+    config.fsPermissions?.readDirectory?.map((p) => ({
+      access: FsAccessPermission.ReadDirectory,
+      path: p,
+    })) ?? [],
+    config.fsPermissions?.dangerouslyWriteDirectory?.map((p) => ({
+      access: FsAccessPermission.DangerouslyWriteDirectory,
+      path: p,
+    })) ?? [],
   ].flat(1);
 
   const sender: Buffer | undefined =

v-next/hardhat/src/internal/builtin-plugins/solidity-test/helpers.ts

@@ -14,9 +14,12 @@ declare module "../../../types/test.js" {
   export interface SolidityTestUserConfig {
     timeout?: number;
     fsPermissions?: {
-      readWrite?: string[];
-      read?: string[];
-      write?: string[];
+      readWriteFile?: string[];
+      readFile?: string[];
+      writeFile?: string[];
+      dangerouslyReadWriteDirectory?: string[];
+      readDirectory?: string[];
+      dangerouslyWriteDirectory?: string[];
     };
     isolate?: boolean;
     ffi?: boolean;