Harden URL/DHT parsing, fix repo write credential, load nextest config#34
Merged
Conversation
- Error instead of panic on malformed join-URL keys and short ciphertext - Use the repo record's own owner secret as its write credential - Move nextest.toml to .config/ and use slow-timeout so it actually loads
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Four safe, self-contained fixes from a review of the group/repo key handling. No public API signatures change.
public_key_from_query/secret_key_from_query/shared_secret_from_queryusedcopy_from_sliceinto a[u8; 32], panicking on a wrong-length value from an attacker-controlled join URL. Replaced with a sharedkey_bytes_from_queryhelper that errors on bad hex or wrong length.decrypt_aeadsliceddata[..24]with no length check, panicking on a short/hostile DHT value. Added a guard that returns an error when the value can't carry a nonce.create_repobuilt the in-memoryRepowith the group's owner secret instead of the repo record's own. Now usesrepo_dht_record.owner_secret(), matching theCommonKeypairpersisted alongside it.nextest.tomlwas never read (nextest loads.config/nextest.toml) and used the invalidtest-timeoutkey. Moved to.config/nextest.tomland switched toslow-timeout = { period = "600s", terminate-after = 1 }. It now loads with no warnings, enforcing the intended 10-minute hard per-test timeout.Notes
--test-threads=1 --retries=3in CI already matched the config values; the new effect is the hard per-test timeout now taking effect.Verification
cargo build,cargo fmt --check,cargo clippy --all-targets --all-features -- -D warningsall pass.cargo nextest listauto-loads.config/nextest.tomlwith no warnings.🤖 Generated with Claude Code