Add import allow-list for geth (#988)

* core/rawdb: should not import go-ethereum's rawdb * Add import allow-list for geth * Update scripts/lint_imports.sh Co-authored-by: Ceyhun Onur <[email protected]> * remove trie import * remove trie, rawdb * rename to allowed-packages * Rename geth linting script * scripts: add comment to lint allowed geth imports script Co-authored-by: Ceyhun Onur <[email protected]> Co-authored-by: Aaron Buchwald <[email protected]>
ava-labs · Sep 15, 2022 · 3e233a2 · 3e233a2
1 parent 77798a9
commit 3e233a2
Show file tree

Hide file tree

Showing 5 changed files with 37 additions and 5 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -38,6 +38,8 @@ jobs:
           go mod edit -replace github.com/ava-labs/avalanchego=./avalanchego
           go mod tidy
           go clean -modcache # avoid conflicts with the golangci-lint-action cache
+      - run: ./scripts/lint_allowed_geth_imports.sh
+        shell: bash
       - name: golangci-lint
         uses: golangci/golangci-lint-action@v2
         with:

diff --git a/core/rawdb/accessors_state_sync.go b/core/rawdb/accessors_state_sync.go
@@ -6,7 +6,6 @@ package rawdb
 import (
 	"github.com/ava-labs/coreth/ethdb"
 	"github.com/ethereum/go-ethereum/common"
-	"github.com/ethereum/go-ethereum/core/rawdb"
 	"github.com/ethereum/go-ethereum/log"
 )
 
@@ -47,7 +46,7 @@ func DeleteCodeToFetch(db ethdb.KeyValueWriter, hash common.Hash) {
 // hashes that are pending syncing. It is the caller's responsibility to
 // unpack the key and call Release on the returned iterator.
 func NewCodeToFetchIterator(db ethdb.Iteratee) ethdb.Iterator {
-	return rawdb.NewKeyLengthIterator(
+	return NewKeyLengthIterator(
 		db.NewIterator(CodeToFetchPrefix, nil),
 		codeToFetchKeyLength,
 	)
@@ -68,7 +67,7 @@ func NewSyncSegmentsIterator(db ethdb.Iteratee, root common.Hash) ethdb.Iterator
 	copy(segmentsPrefix, syncSegmentsPrefix)
 	copy(segmentsPrefix[len(syncSegmentsPrefix):], root[:])
 
-	return rawdb.NewKeyLengthIterator(
+	return NewKeyLengthIterator(
 		db.NewIterator(segmentsPrefix, nil),
 		syncSegmentsKeyLength,
 	)
@@ -115,7 +114,7 @@ func packSyncSegmentKey(root common.Hash, start []byte) []byte {
 // added for syncing (beginning at seek). It is the caller's responsibility to unpack
 // the key and call Release on the returned iterator.
 func NewSyncStorageTriesIterator(db ethdb.Iteratee, seek []byte) ethdb.Iterator {
-	return rawdb.NewKeyLengthIterator(db.NewIterator(syncStorageTriesPrefix, seek), syncStorageTriesKeyLength)
+	return NewKeyLengthIterator(db.NewIterator(syncStorageTriesPrefix, seek), syncStorageTriesKeyLength)
 }
 
 // WriteSyncStorageTrie adds a storage trie for account (with the given root) to be synced.

diff --git a/core/state_processor_test.go b/core/state_processor_test.go
@@ -36,9 +36,9 @@ import (
 	"github.com/ava-labs/coreth/core/types"
 	"github.com/ava-labs/coreth/core/vm"
 	"github.com/ava-labs/coreth/params"
+	"github.com/ava-labs/coreth/trie"
 	"github.com/ethereum/go-ethereum/common"
 	"github.com/ethereum/go-ethereum/crypto"
-	"github.com/ethereum/go-ethereum/trie"
 	"golang.org/x/crypto/sha3"
 )
 

diff --git a/scripts/geth-allowed-packages.txt b/scripts/geth-allowed-packages.txt
@@ -0,0 +1,15 @@
+"github.com/ethereum/go-ethereum/cmd/utils"
+"github.com/ethereum/go-ethereum/common"
+"github.com/ethereum/go-ethereum/common/bitutil"
+"github.com/ethereum/go-ethereum/common/compiler"
+"github.com/ethereum/go-ethereum/common/hexutil"
+"github.com/ethereum/go-ethereum/common/math"
+"github.com/ethereum/go-ethereum/common/prque"
+"github.com/ethereum/go-ethereum/core/asm"
+"github.com/ethereum/go-ethereum/crypto"
+"github.com/ethereum/go-ethereum/crypto/blake2b"
+"github.com/ethereum/go-ethereum/crypto/bls12381"
+"github.com/ethereum/go-ethereum/crypto/bn256"
+"github.com/ethereum/go-ethereum/event"
+"github.com/ethereum/go-ethereum/log"
+"github.com/ethereum/go-ethereum/rlp"
diff --git a/scripts/lint_allowed_geth_imports.sh b/scripts/lint_allowed_geth_imports.sh
@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+
+set -o errexit
+set -o nounset
+set -o pipefail
+
+# Ensure that there are no geth imports that are not marked as explicitly allowed via ./scripts/geth-allowed-packages.txt
+# 1. Recursively search through all go files for any lines that include a direct import from go-ethereum
+# 2. Sort the unique results
+# #. Print out the difference between the search results and the list of specified allowed package imports from geth.
+extra_imports=$(grep -r --include='*.go' '"github.com/ethereum/go-ethereum/.*"' -o -h | sort -u | comm -23 - ./scripts/geth-allowed-packages.txt)
+if [ ! -z "${extra_imports}" ]; then
+    echo "new go-ethereum imports should be added to ./scripts/geth-allowed-packages.txt to prevent accidental imports:"
+    echo "${extra_imports}"
+    exit 1
+fi