Skip to content

fix(safety): close the 3 high-severity findings (wire-safe)#15

Merged
sepahead merged 1 commit into
mainfrom
fix/safety-high-findings
Jun 29, 2026
Merged

fix(safety): close the 3 high-severity findings (wire-safe)#15
sepahead merged 1 commit into
mainfrom
fix/safety-high-findings

Conversation

@sepahead

Copy link
Copy Markdown
Owner

Summary

Fixes the 3 high-severity items from KNOWN_LIMITATIONS.md. All wire-safe (no on-wire contract change), so safe for Engram/crebain/prisoma. +3 regression tests; ncp-core suite 102 passing; rustfmt-1.88 + clippy -D warnings clean.

  • bulk.rs decode — OOM amplification (DoS): added a cumulative allocation budget; overlapping/duplicate column data offsets can no longer declare more total payload than the input holds (decode allocates per-column n_rows). Test: decode_rejects_amplifying_overlap.
  • safety.rs CommandWatchdog — fail-OPEN on unbounded ttl: a non-finite (+Inf) ttl_ms made (now-t) > ttl never true → watchdog never fired. Now non-finite → immediately stale; large values clamp to a finite ceiling (MAX_TTL_MS). Wire ttl_ms unchanged. Test: unbounded_or_nonfinite_ttl_still_expires.
  • safety.rs geofence — empty-position bypass: an empty position vector read as r=0 (origin, inside any fence). Now fails closed to HOLD like an absent channel. Test: empty_position_holds_under_geofence.

NCP main CI is pre-existing-red (fmt-on-src / cargo-deny / ts-dist), unrelated to this change; my additions are fmt+clippy clean.

bulk.rs decode: add a cumulative allocation budget so overlapping/duplicate column data offsets can't declare more total payload than the input holds (was a memory-amplification / OOM vector from a tiny hostile block).

safety.rs CommandWatchdog: bound the enforced ttl — a non-finite (+Inf) ttl_ms made the deadline never fire (fail-OPEN); now non-finite -> immediately stale and large values clamp to a finite ceiling (wire ttl_ms unchanged).

safety.rs geofence: an empty position vector read as r=0 ('at the origin', inside any fence), silently bypassing the geofence; now fails closed to HOLD like an absent channel.

All wire-safe (no contract change). Adds 3 regression tests; ncp-core suite 102 passing; rustfmt-1.88 + clippy -D warnings clean. From KNOWN_LIMITATIONS.md (the 3 HIGH items).
@sepahead sepahead merged commit 0672168 into main Jun 29, 2026
3 of 6 checks passed
@sepahead sepahead deleted the fix/safety-high-findings branch June 29, 2026 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant