Security News
JSR Working Group Kicks Off with Ambitious Roadmap and Plans for Open Governance
At its inaugural meeting, the JSR Working Group outlined plans for an open governance model and a roadmap to enhance JavaScript package management.
Radspec is a safe interpreter for dynamic expressions in Ethereum's NatSpec.
This allows smart contact developers to show improved function documentation to end users, without the security pitfalls of natspec.js. Radspec defines its own syntax structure and parses its own AST rather than directly evaluating untrusted JavaScript.
Radspec supports any contract programming language, such as Solidity or Vyper because radspec works on the compiled JSON ABI. Here is an example using Solidity.
pragma solidity ^0.5.0;
contract Tree {
/// @notice Set the tree age to `numYears` years
function setAge(uint256 numYears) external {
// set the age into storage
}
}
Notice the dynamic expression documentation for the setAge
function. When presented to the end user, this will render based on the inputs provided by the user. For example, if the end user is calling the contract with an input of 10 years, this will be rendered by radspec as:
Set the tree age to 10 years
Use the Solidity compiler to generate user documentation and ABI with:
solc --userdoc --abi tree.sol
This produces the outputs:
{
"methods" :
{
"setAge(uint256)" :
{
"notice" : "Set the tree age to `numYears` years"
}
}
}
and
[{
"constant":false,
"inputs":[{"name":"numYears","type":"uint256"}],
"name":"setAge",
"outputs":[],
"payable":false,
"stateMutability":"nonpayable",
"type":"function"
}]
Write a simple tool using radspec to interpret this:
import radspec from 'radspec'
// Set userDoc and ABI from above
const expression = userDoc.methods["setAge(uint256)"].notice
const call = {
abi: abi,
transaction: {
to: '0x8521742d3f456bd237e312d6e30724960f72517a',
data: '0xd5dcf127000000000000000000000000000000000000000000000000000000000000000a'
}
}
radspec.evaluate(expression, call)
.then(console.log) // => "Set the tree age to 10 years"
See more examples here and in the tests.
Please let us know if there's anything else you'd like Radspec to be able to evaluate by filing an issue!
Simply use your favorite Node.js package manager:
npm i radspec
Documentation about radspec and the internals of radspec can be found here.
TBD
natspec.js accepts any valid JavaScript. There are multiple reasons this is a bad idea:
eval
(unsafe!) from inside JavaScriptAs dapps become increasingly complex, it is paramount that tools are written in a way that makes phishing near impossible. Evaluating JavaScript directly makes opens your dapp up to cross-site scripting attacks by users merely submitting a transaction(!).
MIT
FAQs
Radspec is a safe alternative to Ethereum's natspec
The npm package radspec receives a total of 31 weekly downloads. As such, radspec popularity was classified as not popular.
We found that radspec demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 8 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
At its inaugural meeting, the JSR Working Group outlined plans for an open governance model and a roadmap to enhance JavaScript package management.
Security News
Research
An advanced npm supply chain attack is leveraging Ethereum smart contracts for decentralized, persistent malware control, evading traditional defenses.
Security News
Research
Attackers are impersonating Sindre Sorhus on npm with a fake 'chalk-node' package containing a malicious backdoor to compromise developers' projects.