Fix panic safety in register_contract_with_source and register_stellar_asset_contract_v2 (#1803)

mootz12 · web-flow · commit 857c058d30ae · 2026-03-31T20:17:47.000Z
### What Reorder operations in `register_contract_with_source` and `register_stellar_asset_contract_v2` so that the auth manager is always restored before any unwrap that could panic. Use `try_invoke_contract` instead of `invoke_contract` for the `set_admin` call in `register_stellar_asset_contract_v2`. ### Why Both functions snapshot the auth manager, switch to recording mode, perform a fallible operation, then restore the original auth manager. If the operation panics (e.g. constructor argument mismatch), the restore is skipped and the auth manager is left permanently in recording mode — silently bypassing all require_auth enforcement. This is not an expected code path in general contract testing, just an additional defensive layer. Closes #1802 ### Known limitations None
diff --git a/soroban-sdk/src/env.rs b/soroban-sdk/src/env.rs
@@ -1120,15 +1120,15 @@ impl Env {
         self.env_impl
             .switch_to_recording_auth_inherited_from_snapshot(&prev_auth_manager)
             .unwrap();
-        self.invoke_contract::<()>(
+        let admin_result = self.try_invoke_contract::<(), Error>(
             &token_id,
             &soroban_sdk_macros::internal_symbol_short!("set_admin"),
             (admin,).try_into_val(self).unwrap(),
         );
         self.env_impl.set_auth_manager(prev_auth_manager).unwrap();
+        admin_result.unwrap().unwrap();
 
         let issuer = StellarAssetIssuer::new(self.clone(), issuer_id);
-
         StellarAssetContract::new(token_id, issuer, asset)
     }
 
@@ -1167,13 +1167,14 @@ impl Env {
         executable: xdr::ContractExecutable,
         constructor_args: Vec<Val>,
     ) -> Address {
+        let args_vec: std::vec::Vec<xdr::ScVal> =
+            constructor_args.iter().map(|v| v.into_val(self)).collect();
+        let constructor_args = args_vec.try_into().unwrap();
         let prev_auth_manager = self.env_impl.snapshot_auth_manager().unwrap();
         self.env_impl
             .switch_to_recording_auth_inherited_from_snapshot(&prev_auth_manager)
             .unwrap();
-        let args_vec: std::vec::Vec<xdr::ScVal> =
-            constructor_args.iter().map(|v| v.into_val(self)).collect();
-        let contract_id: Address = self
+        let create_result = self
             .env_impl
             .invoke_function(xdr::HostFunction::CreateContractV2(
                 xdr::CreateContractArgsV2 {
@@ -1186,16 +1187,13 @@ impl Env {
                         },
                     ),
                     executable,
-                    constructor_args: args_vec.try_into().unwrap(),
+                    constructor_args,
                 },
-            ))
-            .unwrap()
-            .try_into_val(self)
-            .unwrap();
+            ));
 
         self.env_impl.set_auth_manager(prev_auth_manager).unwrap();
 
-        contract_id
+        create_result.unwrap().try_into_val(self).unwrap()
     }
 
     /// Set authorizations and signatures in the environment which will be
diff --git a/soroban-sdk/src/tests/env.rs b/soroban-sdk/src/tests/env.rs
@@ -44,6 +44,11 @@ enum ContractError {
     AnError = 1,
 }
 
+mod constructor_contract {
+    use crate as soroban_sdk;
+    soroban_sdk::contractimport!(file = "../target/wasm32v1-none/release/test_constructor.wasm");
+}
+
 #[test]
 fn default_and_from_snapshot_same_settings() {
     let env1 = Env::default();
@@ -326,3 +331,28 @@ fn test_try_as_contract_panic() {
         )))
     );
 }
+
+#[test]
+fn test_register_restores_auth_before_panics() {
+    let env = Env::default();
+
+    let address = env.register(Contract, ());
+    let client = ContractClient::new(&env, &address);
+    let user = Address::generate(&env);
+
+    let pre_register = client.try_need_auth(&user);
+    assert!(pre_register.is_err());
+
+    // This is contrived to cause a panic inside register_contract_with_source.
+    // Don't actually do things like this!
+    let another_contract = env.register(Contract, ());
+    let register_result = env.try_as_contract::<_, Error>(&another_contract, || {
+        // This expects arguments for the constructor, but none are provided, so it will panic
+        env.register(constructor_contract::WASM, ());
+    });
+    assert!(register_result.is_err());
+
+    let post_register = client.try_need_auth(&user);
+    assert!(post_register.is_err());
+    assert_eq!(pre_register, post_register);
+}
diff --git a/soroban-sdk/test_snapshots/tests/env/test_register_restores_auth_before_panics.1.json b/soroban-sdk/test_snapshots/tests/env/test_register_restores_auth_before_panics.1.json
@@ -0,0 +1,87 @@
+{
+  "generators": {
+    "address": 4,
+    "nonce": 0,
+    "mux_id": 0
+  },
+  "auth": [
+    [],
+    [],
+    [],
+    [],
+    []
+  ],
+  "ledger": {
+    "protocol_version": 25,
+    "sequence_number": 0,
+    "timestamp": 0,
+    "network_id": "0000000000000000000000000000000000000000000000000000000000000000",
+    "base_reserve": 0,
+    "min_persistent_entry_ttl": 4096,
+    "min_temp_entry_ttl": 16,
+    "max_entry_ttl": 6312000,
+    "ledger_entries": [
+      {
+        "entry": {
+          "last_modified_ledger_seq": 0,
+          "data": {
+            "contract_data": {
+              "ext": "v0",
+              "contract": "CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAD2KM",
+              "key": "ledger_key_contract_instance",
+              "durability": "persistent",
+              "val": {
+                "contract_instance": {
+                  "executable": {
+                    "wasm": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+                  },
+                  "storage": null
+                }
+              }
+            }
+          },
+          "ext": "v0"
+        },
+        "live_until": 4095
+      },
+      {
+        "entry": {
+          "last_modified_ledger_seq": 0,
+          "data": {
+            "contract_data": {
+              "ext": "v0",
+              "contract": "CAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHK3M",
+              "key": "ledger_key_contract_instance",
+              "durability": "persistent",
+              "val": {
+                "contract_instance": {
+                  "executable": {
+                    "wasm": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
+                  },
+                  "storage": null
+                }
+              }
+            }
+          },
+          "ext": "v0"
+        },
+        "live_until": 4095
+      },
+      {
+        "entry": {
+          "last_modified_ledger_seq": 0,
+          "data": {
+            "contract_code": {
+              "ext": "v0",
+              "hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
+              "code": ""
+            }
+          },
+          "ext": "v0"
+        },
+        "live_until": 4095
+      }
+    ]
+  },
+  "events": []
+}
