Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tests on localnet don't validate inputs #3515

Closed
marcospgp opened this issue Jan 27, 2025 · 4 comments
Closed

Tests on localnet don't validate inputs #3515

marcospgp opened this issue Jan 27, 2025 · 4 comments
Labels
ts

Comments

@marcospgp
Copy link

marcospgp commented Jan 27, 2025
edited
Loading

I was testing an anchor program on localnet with a unit test, and it seems that the test will pass as long as all required values are there - even if the accounts passed in are empty!

It seems like testing in localnet does no validation of accounts at all? Or am I wrong?

I'd say this is unexpected and means one can't test proper validation locally

My program code has:

    pub fn test(
        ctx: Context<TestInput>,
        _space: u64,
        arg: Vec<something>,
    ) -> Result<()> { ... }

#[derive(Accounts)]
#[instruction(space: u64)]
pub struct TestInput<'info> {
    #[account(
        init,
        payer = test,
        space = space as usize,
        seeds = [b"test", test.key().as_ref()],
        bump
    )]
    pub a: Account<'info, SomeAccount>,
    #[account(mut)]
    pub b: Signer<'info>,
    pub c: Program<'info, System>,
}

But I can call it like this and the test will still pass:

    await program.methods
      .test(space, models)
      .accounts({

      })
      .rpc();
@acheroncrypto
Copy link
Collaborator

This is because starting from v0.30, Anchor automatically resolves accounts if you use the accounts method. If you don't want accounts to be resolved automatically, you can use the accountsStrict method instead.

https://www.anchor-lang.com/release-notes/0.30.0#account-resolution

@marcospgp
Copy link
Author

marcospgp commented Jan 27, 2025
edited
Loading

@acheroncrypto that is really surprising as someone that is just learning anchor! everywhere on the docs one reads that validation is strict and fragile and security is paramount etc. but then turns out accounts aren't being validated at all, not even on the main net? Or am I misunderstanding?

Shouldn't there be an accountsUnsafe instead? While accounts remains default secure?

Also the documentation itself should be updated I think, as people like me are unlikely to be checking changelogs

@acheroncrypto
Copy link
Collaborator

What security are you talking about? This is completely unrelated to the security of your program. It's all about client-side account resolution in TypeScript. Read the link I sent above that explains account resolution.

Also the documentation itself should be updated I think, as people like me are unlikely to be checking changelogs

Yes, and it's already being updated in #3493

@marcospgp
Copy link
Author

@acheroncrypto I'm not sure what account resolution means, tried to look for it in docs aside from the changelog you pointed to but couldn't find much - all I could find for the typescript library is this reference, which is a bit hard to navigate

thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ts
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@marcospgp @acheroncrypto