feat(forge): add script execution protection config (#10408)

grandizzy · DaniPopes · web-flow · commit 497b6ee597a6 · 2025-04-30T16:43:20.000+03:00
* feat(forge): add script execution protection config

* Update crates/config/src/lib.rs

Co-authored-by: DaniPopes &lt;57450786+DaniPopes@users.noreply.github.com&gt;

---------

Co-authored-by: DaniPopes &lt;57450786+DaniPopes@users.noreply.github.com&gt;
diff --git a/crates/config/src/lib.rs b/crates/config/src/lib.rs
@@ -523,6 +523,9 @@ pub struct Config {
     #[serde(default)]
     pub compilation_restrictions: Vec<CompilationRestrictions>,
 
+    /// Whether to enable script execution protection.
+    pub script_execution_protection: bool,
+
     /// PRIVATE: This structure may grow, As such, constructing this structure should
     /// _always_ be done using a public constructor or update syntax:
     ///
@@ -2412,6 +2415,7 @@ impl Default for Config {
             additional_compiler_profiles: Default::default(),
             compilation_restrictions: Default::default(),
             eof: false,
+            script_execution_protection: true,
             _non_exhaustive: (),
         }
     }
diff --git a/crates/evm/evm/src/executors/mod.rs b/crates/evm/evm/src/executors/mod.rs
@@ -258,7 +258,7 @@ impl Executor {
     }
 
     #[inline]
-    pub fn set_script(&mut self, script_address: Address) {
+    pub fn set_script_execution(&mut self, script_address: Address) {
         self.inspector_mut().script(script_address);
     }
 
diff --git a/crates/forge/tests/cli/config.rs b/crates/forge/tests/cli/config.rs
@@ -169,6 +169,7 @@ forgetest!(can_extract_config_values, |prj, cmd| {
         additional_compiler_profiles: Default::default(),
         compilation_restrictions: Default::default(),
         eof: false,
+        script_execution_protection: true,
         _non_exhaustive: (),
     };
     prj.write_config(input.clone());
@@ -1041,6 +1042,7 @@ transaction_timeout = 120
 eof = false
 additional_compiler_profiles = []
 compilation_restrictions = []
+script_execution_protection = true
 
 [profile.default.rpc_storage_caching]
 chains = "all"
@@ -1298,7 +1300,8 @@ exclude = []
   "transaction_timeout": 120,
   "eof": false,
   "additional_compiler_profiles": [],
-  "compilation_restrictions": []
+  "compilation_restrictions": [],
+  "script_execution_protection": true
 }
 
 "#]]);
diff --git a/crates/forge/tests/cli/script.rs b/crates/forge/tests/cli/script.rs
@@ -2668,6 +2668,17 @@ Error: Usage of `address(this)` detected in script contract. Script contracts ar
 Error: script failed: <empty revert data>
 ...
 
+"#]]);
+
+    // Disable script protection.
+    prj.update_config(|config| {
+        config.script_execution_protection = false;
+    });
+    cmd.assert_success().stdout_eq(str![[r#"
+...
+Script ran successfully.
+...
+
 "#]]);
 });
 
diff --git a/crates/script/src/execute.rs b/crates/script/src/execute.rs
@@ -144,9 +144,8 @@ impl PreExecutionState {
             &self.build_data.predeploy_libraries,
             self.execution_data.bytecode.clone(),
             needs_setup(&self.execution_data.abi),
-            self.script_config.sender_nonce,
+            &self.script_config,
             self.args.broadcast,
-            self.script_config.evm_opts.fork_url.is_none(),
         )?;
 
         if setup_result.success {
diff --git a/crates/script/src/runner.rs b/crates/script/src/runner.rs
@@ -1,4 +1,4 @@
-use super::ScriptResult;
+use super::{ScriptConfig, ScriptResult};
 use crate::build::ScriptPredeployLibraries;
 use alloy_eips::eip7702::SignedAuthorization;
 use alloy_primitives::{Address, Bytes, TxKind, U256};
@@ -33,9 +33,8 @@ impl ScriptRunner {
         libraries: &ScriptPredeployLibraries,
         code: Bytes,
         setup: bool,
-        sender_nonce: u64,
+        script_config: &ScriptConfig,
         is_broadcast: bool,
-        need_create2_deployer: bool,
     ) -> Result<(Address, ScriptResult)> {
         trace!(target: "script", "executing setUP()");
 
@@ -45,11 +44,12 @@ impl ScriptRunner {
                 self.executor.set_balance(self.evm_opts.sender, U256::MAX)?;
             }
 
-            if need_create2_deployer {
+            if script_config.evm_opts.fork_url.is_none() {
                 self.executor.deploy_create2_deployer()?;
             }
         }
 
+        let sender_nonce = script_config.sender_nonce;
         self.executor.set_nonce(self.evm_opts.sender, sender_nonce)?;
 
         // We max out their balance so that they can deploy and make calls.
@@ -158,7 +158,9 @@ impl ScriptRunner {
         }
 
         // set script address to be used by execution inspector
-        self.executor.set_script(address);
+        if script_config.config.script_execution_protection {
+            self.executor.set_script_execution(address);
+        }
 
         traces.extend(constructor_traces.map(|traces| (TraceKind::Deployment, traces)));
 

Original file line number	Diff line number	Diff line change
`@@ -258,7 +258,7 @@ impl Executor {`
`258`	`258`	`}`
`259`	`259`
`260`	`260`	`#[inline]`
`261`		`- pub fn set_script(&mut self, script_address: Address) {`
	`261`	`+ pub fn set_script_execution(&mut self, script_address: Address) {`
`262`	`262`	`self.inspector_mut().script(script_address);`
`263`	`263`	`}`
`264`	`264`