Skip to content

fix: hardening#49

Open
Julusian wants to merge 4 commits into
mainfrom
fix/hardening
Open

fix: hardening#49
Julusian wants to merge 4 commits into
mainfrom
fix/hardening

Conversation

@Julusian

Copy link
Copy Markdown
Member

About the Contributor

This pull request is posted on behalf of Bitfocus Companion

Type of Contribution

This is a: Bug fix

Current Behavior

Some potential DOS vulnerabilities have been identified

New Behavior

Testing Instructions

Other Information

Status

  • PR is ready to be reviewed.
  • The functionality has been tested by the author.
  • Relevant unit tests has been added / updated.
  • Relevant documentation (code comments, system documentation) has been added / updated.

@coderabbitai

coderabbitai Bot commented Jun 24, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@Julusian, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 53 minutes and 17 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 8789cc81-52b9-426c-b643-3a6670d49692

📥 Commits

Reviewing files that changed from the base of the PR and between 0bdb4c8 and a2dd77a.

📒 Files selected for processing (2)
  • src/Ember/Socket/S101Socket.ts
  • src/S101/S101Codec.ts

Walkthrough

Adds a BER REAL zero-significand guard, introduces a dedicated S101 oversized-frame error and size limits in the codec, and updates socket/client paths and tests to drop connections on oversized input while preserving normal decoding.

Changes

BER REAL zero-significand guard

Layer / File(s) Summary
REAL zero-significand handling
src/Ber/Reader.ts, src/Ber/__tests__/reader.spec.ts
Reader.readReal returns 0 or -0 when the significand is zero, and the spec adds timeout-bounded regressions plus round-trip decode coverage.

S101 oversized-input handling

Layer / File(s) Summary
Codec size limits and oversized errors
src/Errors.ts, src/S101/S101Codec.ts, src/S101/__tests__/S101Codec.spec.ts
S101OversizedFrameError is exported, S101Codec enforces frame and multi-packet size caps, and the codec spec covers oversized and keepalive paths.
Socket and client disconnect on oversized input
src/Ember/Socket/S101Client.ts, src/Ember/Socket/S101Socket.ts, src/Ember/Socket/__tests__/S101Socket.spec.ts
S101Client and S101Socket handle S101OversizedFrameError by closing or destroying the connection, and the socket spec covers oversized disconnect and bad-CRC behavior.

Sequence Diagram(s)

sequenceDiagram
  participant Peer
  participant S101Socket
  participant S101Client
  participant S101Codec

  alt S101Socket.connect data path
    Peer->>S101Socket: data event
    S101Socket->>S101Codec: dataIn(data)
    S101Codec-->>S101Socket: throw S101OversizedFrameError
    S101Socket->>S101Socket: destroy()
  else S101Client.connect data path
    Peer->>S101Client: data event
    S101Client->>S101Codec: dataIn(data)
    S101Codec-->>S101Client: throw S101OversizedFrameError
    S101Client->>S101Client: handleClose()
  end
Loading

Review effort

🎯 3 (Moderate) | ⏱️ ~30 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is vague and generic, so it does not clearly summarize the specific hardening changes. Rename it to mention the Ember+ DoS hardening, such as preventing oversized frames and reader hangs.
✅ Passed checks (4 passed)
Check name Status Explanation
Description check ✅ Passed The description is related to the changeset and accurately frames it as a bug fix for potential DoS vulnerabilities.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/hardening

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🧹 Nitpick comments (2)
src/S101/__tests__/S101Codec.spec.ts (1)

42-60: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Add a regression test for oversized first multi-packet fragment.

Current coverage only overflows during continuation frames. Add a case where FLAG_FIRST_MULTI_PACKET alone exceeds the cap and is rejected/reset immediately.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/S101/__tests__/S101Codec.spec.ts` around lines 42 - 60, Add a regression
case in S101Codec.spec.ts for the oversized first fragment path: the current
test in S101Codec.handleEmberFrame only covers overflow during continuation
frames, so add a scenario where makeEmberFrame with FLAG_FIRST_MULTI_PACKET and
a payload that already exceeds the reassembly cap is rejected immediately.
Verify the oversized error is thrown and that the codec state is reset afterward
by checking multiPacketBuffer and isMultiPacket on S101Codec.
src/Ember/Socket/__tests__/S101Socket.spec.ts (1)

19-35: 📐 Maintainability & Code Quality | 🔵 Trivial | ⚡ Quick win

Strengthen oversized test with state assertions.

Please also assert disconnected emission and status === ConnectionStatus.Disconnected after the destroy path, so state regressions are caught.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/Ember/Socket/__tests__/S101Socket.spec.ts` around lines 19 - 35, The
oversized-frame test in S101Socket.spec should also verify the socket’s state
transition after the destroy path. Extend the existing test around S101Socket
and FakeSocket to assert that the disconnected event is emitted and that the
S101Socket status becomes ConnectionStatus.Disconnected once the peer is
destroyed, alongside the current destroyed/error checks.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/Ember/Socket/S101Socket.ts`:
- Around line 78-81: The oversized-frame drop path in S101Socket can leave the
instance marked as Connected after this.socket?.destroy() triggers the close
flow. Update the oversized error handling in S101Socket and the related
close-state logic so an intentional destroy from S101OversizedFrameError does
not reset status back to ConnectionStatus.Connected; instead, ensure the socket
state is set to a disconnected/closed state consistently in the close handler or
before destroying the socket.

In `@src/S101/S101Codec.ts`:
- Around line 257-263: The multi-packet size guard in S101Codec only runs after
continuation fragments, so an oversized first fragment can still be buffered
past MAX_MULTI_PACKET_SIZE. Update the multi-packet handling in S101Codec so the
size check is applied when the first fragment is written as well as in the
continuation path, reusing the existing resetMultiPacketBuffer and
S101OversizedFrameError flow to drop the message as soon as the accumulated
buffer exceeds the limit.

---

Nitpick comments:
In `@src/Ember/Socket/__tests__/S101Socket.spec.ts`:
- Around line 19-35: The oversized-frame test in S101Socket.spec should also
verify the socket’s state transition after the destroy path. Extend the existing
test around S101Socket and FakeSocket to assert that the disconnected event is
emitted and that the S101Socket status becomes ConnectionStatus.Disconnected
once the peer is destroyed, alongside the current destroyed/error checks.

In `@src/S101/__tests__/S101Codec.spec.ts`:
- Around line 42-60: Add a regression case in S101Codec.spec.ts for the
oversized first fragment path: the current test in S101Codec.handleEmberFrame
only covers overflow during continuation frames, so add a scenario where
makeEmberFrame with FLAG_FIRST_MULTI_PACKET and a payload that already exceeds
the reassembly cap is rejected immediately. Verify the oversized error is thrown
and that the codec state is reset afterward by checking multiPacketBuffer and
isMultiPacket on S101Codec.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 54e1fce3-1d92-43b6-ad5d-09807f6b3298

📥 Commits

Reviewing files that changed from the base of the PR and between 67d143f and 0bdb4c8.

📒 Files selected for processing (8)
  • src/Ber/Reader.ts
  • src/Ber/__tests__/reader.spec.ts
  • src/Ember/Socket/S101Client.ts
  • src/Ember/Socket/S101Socket.ts
  • src/Ember/Socket/__tests__/S101Socket.spec.ts
  • src/Errors.ts
  • src/S101/S101Codec.ts
  • src/S101/__tests__/S101Codec.spec.ts

Comment thread src/Ember/Socket/S101Socket.ts
Comment thread src/S101/S101Codec.ts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant