fix: address security-audit findings in verify and content#14
Merged
Conversation
Five findings from an audit of the tool. verify exit code (critical): verify reported 'reject' but the process exited 0, so CI and scripts could treat an invalid document as valid. Commands now return an Outcome; a verify reject maps to a non-zero exit. An integration test guards the contract. verify default --now (medium): the default verified-time reference was a fixed 2026-05-07 date, already stale, which silently passed an expired canary. Default to the current system UTC clock instead (printed as a note); --now still overrides for reproducibility. content image read (medium): reading image files for the hash and dimensions is now hardened against a hostile repository - the resolved path must stay inside the assets directory (rejecting symlinks that point out), the target must be a regular file, and it must not exceed the 2 MiB image cap. Legitimate images are unaffected. verify --content-index (low): supplying --content-index without --fetched-onion silently skipped Stage 9b; it is now an explicit error, and the skip note covers the no-onion case. init scaffold (low): the generated README now shows build manifest with --key-seed-file instead of an inline --key-seed-hex, matching the seed-handling guidance. Tests cover the symlink and size-cap rejections and the verify exit code. cargo audit clean with the added time dependency.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the five findings from a security audit of the tool. All five were confirmed against the code before fixing.
verify exit code (critical).
verifyprintedverdict: rejectbut the process exited 0, so CI and scripts could treat an invalid document as valid. Commands now return anOutcome; a verify reject maps to a non-zero exit. An integration test (tests/exit_code.rs) guards the contract.verify default --now (medium). The default time reference was a fixed
2026-05-07date, already stale, which silently passed an expired canary. Default to the current system UTC clock (printed as a note);--nowstill overrides for reproducibility.content image read (medium). Reading image files for the hash and dimensions is hardened against a hostile repository: the resolved path must stay inside the assets directory (rejecting symlinks pointing out), the target must be a regular file, and it must not exceed the 2 MiB image cap. Legitimate images are unaffected.
verify --content-index (low).
--content-indexwithout--fetched-onionsilently skipped Stage 9b; now an explicit error, and the skip note covers the no-onion case.init scaffold (low). The generated README shows
build manifest --key-seed-fileinstead of an inline--key-seed-hex, matching the seed-handling guidance.New tests cover the symlink and size-cap rejections and the verify exit code (17 total). fmt, clippy -D warnings, build, and test green with --locked;
cargo auditclean.