Skip to content

Harden URL/DHT parsing, fix repo write credential, load nextest config#34

Merged
tripledoublev merged 2 commits into
mainfrom
worktree-safe-fixes
May 31, 2026
Merged

Harden URL/DHT parsing, fix repo write credential, load nextest config#34
tripledoublev merged 2 commits into
mainfrom
worktree-safe-fixes

Conversation

@tripledoublev

Copy link
Copy Markdown
Collaborator

Summary

Four safe, self-contained fixes from a review of the group/repo key handling. No public API signatures change.

  • Parsing panics → errors. public_key_from_query / secret_key_from_query / shared_secret_from_query used copy_from_slice into a [u8; 32], panicking on a wrong-length value from an attacker-controlled join URL. Replaced with a shared key_bytes_from_query helper that errors on bad hex or wrong length.
  • Decrypt panic → error. decrypt_aead sliced data[..24] with no length check, panicking on a short/hostile DHT value. Added a guard that returns an error when the value can't carry a nonce.
  • Repo write credential. create_repo built the in-memory Repo with the group's owner secret instead of the repo record's own. Now uses repo_dht_record.owner_secret(), matching the CommonKeypair persisted alongside it.
  • Nextest config actually loads. The root nextest.toml was never read (nextest loads .config/nextest.toml) and used the invalid test-timeout key. Moved to .config/nextest.toml and switched to slow-timeout = { period = "600s", terminate-after = 1 }. It now loads with no warnings, enforcing the intended 10-minute hard per-test timeout.

Notes

  • --test-threads=1 --retries=3 in CI already matched the config values; the new effect is the hard per-test timeout now taking effect.
  • Architectural items from the review (owner-secret in invite URL, backend mutex held across network I/O, slot-count repo advertisement races) were intentionally left out of this PR.

Verification

  • cargo build, cargo fmt --check, cargo clippy --all-targets --all-features -- -D warnings all pass.
  • cargo nextest list auto-loads .config/nextest.toml with no warnings.

🤖 Generated with Claude Code

- Error instead of panic on malformed join-URL keys and short ciphertext
- Use the repo record's own owner secret as its write credential
- Move nextest.toml to .config/ and use slow-timeout so it actually loads
@tripledoublev tripledoublev merged commit 4d797a4 into main May 31, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant