anchor
anchor copied to clipboard
coral-xyz
Warn users to remove `[provider].wallet` from Anchor.toml path when `anchor publish`-ing
Problem
anchor publish uploads all the sources including Anchor.toml to APR.
Anchor.toml might contain sensitive information (computer's path to the wallet) in the [provider].wallet
[provider]
cluster = "mainnet"
wallet = <sensitive wallet path>
This is what happened to me when I published APR for my smart-contract https://www.apr.dev/program/PLACEMmfm3ZMpYKWfTwzHsTGnPnnDgmK2QkJPeLnZWE?tab=Explorer
I followed the Anchor tutorial on publishing sources and configured the path to the wallet on mainnet and commented the one on the local net. In fact, the wallet option is not used by anchor publish so it was redundant.
Surely, source code must have been sanitised before doing anchor publish but I forgot to check it.
Solution
Perform sanity checks and warn users on anchor publish if some option might be sensitive in the project.
Through the link I spot these. Is it an critical things that we need to remove?
[provider]
cluster = "localnet"
wallet = "~/.config/solana/id.json"
I've uploaded a new version with the paths replaced. I suppose, the exact default one like this one, is not critical. And for Windows default one whatever it is. But it used to be my machine's one
Not sure what the current status of the APR is but certainly worth noting to anyone working on that in the future.
