search

onflow / flow-cli

The Flow CLI is a command-line interface that provides useful utilities for building Flow applications
https://onflow.org
Apache License 2.0
206 stars 62 forks source link

Run scripts/transactions from url #1468

Open janezpodhostnik opened 3 months ago

janezpodhostnik commented 3 months ago

Description

A lot times I find myself using commands like this:

flow scripts execute <(curl -s "https://raw.githubusercontent.com/onflow/flow-core-contracts/stable-cadence/transactions/flowToken/scripts/get_supply.cdc") -n some_network

It would be nice to support something like this:

flow scripts execute "https://raw.githubusercontent.com/onflow/flow-core-contracts/stable-cadence/transactions/flowToken/scripts/get_supply.cdc" -n some_network

Another potential option is that you would list "sources" in the flow.json:

"sources":{
    "core-contracts": "https://raw.githubusercontent.com/onflow/flow-core-contracts/stable-cadence/transactions"
}

and then you could use it like this:

flow scripts execute "core-contracts:transactions/flowToken/scripts/get_supply.cdc" -n some_network
chasefleming commented 2 months ago

@janezpodhostnik This is a cool idea. But, one potential issue is that a seemingly harmless URL used by many could eventually be switched to something malicious after gaining trust.

One method we've been exploring to address this is through FLIX and the Dependency Manager. Currently, you can execute a script or transaction using a FLIX from the CLI. This means that these could be encapsulated within a FLIX for execution. We also plan to enable the Dependency Manager to import scripts and transactions from URLs directly into your project for local execution. This would also somewhat address what you're trying to do.

Although, we want to integrate commands for commonly used functions in the near future directly into the CLI, like querying supply, transferring flow, etc. Are there any interactions that you use often, which we should prioritize?

janezpodhostnik commented 2 months ago

Using any CLI commands comes with a risk and a disclaimer "I know what the commands I am running do". Nothing is stopping you from running "rm -rf /".

While I think the CLI should take some effort to reduce footguns, I also think worrying about the url destination switching on the user over time is not the responsibility of the CLI, but the responsibility of the user.