The Collection::remove function will not validate that the itemId exists, permitting a potentially empty or previously deleted entry to be removed again and reduce the size of the collection incorrectly.
Impact:
The size of a collection can be presently manipulated by removing entries that are not present within it.
Example:
function remove(uint256 itemId) public onlyOwner {
uint256 prev = _items[itemId].prev;
uint256 next = _items[itemId].next;
if (--size == 0) {
_head = _tail = 0;
} else {
if (_head == itemId) {
_head = _items[itemId].next;
}
if (_tail == itemId) {
_tail = _items[itemId].prev;
}
_items[prev].next = next;
_items[next].prev = prev;
}
delete _items[itemId];
}
Recommendation:
We advise the Collection::remove function to ensure that the itemId entry exists, potentially by preventing zero-value itemId entries in the Collection::append function and ensuring that either prev or next are non-zero in the Collection::remove function.
chasebrownn
commented
5 months ago
CNO-01M: Inexistent Validity of Entry Existence
Description:
The
Collection::removefunction will not validate that theitemIdexists, permitting a potentially empty or previously deleted entry to be removed again and reduce thesizeof the collection incorrectly.Impact:
The
sizeof a collection can be presently manipulated by removing entries that are not present within it.Example:
Recommendation:
We advise the
Collection::removefunction to ensure that theitemIdentry exists, potentially by preventing zero-valueitemIdentries in theCollection::appendfunction and ensuring that eitherprevornextare non-zero in theCollection::removefunction.