fix: security hardening — 40 findings from full codebase review
Full codebase review by 4 independent agents (security, architecture,
code quality, correctness) identified ~80 findings. This commit fixes 40
of them across all workspace crates.
Critical fixes:
- Federation service: validate origin against mTLS cert CN/SAN (C1)
- WS bridge: add DM channel auth, size limits, rate limiting (C2)
- hpke_seal: panic on error instead of silent empty ciphertext (C3)
- hpke_setup_sender_and_export: error on parse fail, no PQ downgrade (C7)
Security fixes:
- Zeroize: seed_bytes() returns Zeroizing<[u8;32]>, private_to_bytes()
returns Zeroizing<Vec<u8>>, ClientAuth.access_token, SessionState.password,
conversation hex_key all wrapped in Zeroizing
- Keystore: 0o600 file permissions on Unix
- MeshIdentity: 0o600 file permissions on Unix
- Timing floors: resolveIdentity + WS bridge resolve_user get 5ms floor
- Mobile: TLS verification gated behind insecure-dev feature flag
- Proto: from_bytes default limit tightened from 64 MiB to 8 MiB
Correctness fixes:
- fetch_wait: register waiter before fetch to close TOCTOU window
- MeshEnvelope: exclude hop_count from signature (forwarding no longer
invalidates sender signature)
- BroadcastChannel: encrypt returns Result instead of panicking
- transcript: rename verify_transcript_chain → validate_transcript_structure
- group.rs: extract shared process_incoming() for receive_message variants
- auth_ops: remove spurious RegistrationRequest deserialization
- MeshStore.seen: bounded to 100K with FIFO eviction
Quality fixes:
- FFI error classification: typed downcast instead of string matching
- Plugin HookVTable: SAFETY documentation for unsafe Send+Sync
- clippy::unwrap_used: warn → deny workspace-wide
- Various .unwrap_or("") → proper error returns
Review report: docs/REVIEW-2026-03-04.md
152 tests passing (72 core + 35 server + 14 E2E + 1 doctest + 30 P2P)
This commit is contained in:
@@ -190,16 +190,19 @@
|
||||
<span id="conn-status" class="status info">Disconnected</span>
|
||||
</div>
|
||||
<div class="bridge-note">
|
||||
The native qpq server speaks Cap'n Proto RPC over QUIC/TCP + Noise_XX.
|
||||
A WebSocket-to-capnp bridge proxy is required for browser connectivity.
|
||||
This demo's transport layer sends JSON-framed requests over WebSocket.
|
||||
The qpq server provides a built-in WebSocket JSON-RPC bridge.
|
||||
Start the server with <code>--ws-listen 0.0.0.0:9000</code> to enable browser connectivity.
|
||||
This demo sends JSON-framed requests over WebSocket.
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<!-- Chat -->
|
||||
<div class="card">
|
||||
<h2>Chat</h2>
|
||||
<input type="text" id="chat-user" placeholder="Recipient username">
|
||||
<div class="grid">
|
||||
<input type="text" id="chat-me" placeholder="Your username (sender)">
|
||||
<input type="text" id="chat-user" placeholder="Recipient username">
|
||||
</div>
|
||||
<input type="text" id="chat-msg" placeholder="Message">
|
||||
<div class="row">
|
||||
<button id="btn-send" disabled>Send</button>
|
||||
@@ -416,7 +419,7 @@ $('btn-connect').addEventListener('click', () => {
|
||||
ws.addEventListener('error', () => {
|
||||
$('conn-status').textContent = 'Connection error';
|
||||
$('conn-status').className = 'status err';
|
||||
log('WebSocket error -- is the bridge proxy running?', 'err');
|
||||
log('WebSocket error -- start server with --ws-listen 0.0.0.0:9000', 'err');
|
||||
});
|
||||
|
||||
ws.addEventListener('message', (ev) => {
|
||||
@@ -457,19 +460,20 @@ function sendRpc(method, params) {
|
||||
}
|
||||
|
||||
$('btn-send').addEventListener('click', () => {
|
||||
const me = $('chat-me').value;
|
||||
const user = $('chat-user').value;
|
||||
const msg = $('chat-msg').value;
|
||||
if (!me) { log('Enter your username first', 'info'); return; }
|
||||
if (!user || !msg) return;
|
||||
sendRpc('send', { recipient: user, message: msg });
|
||||
sendRpc('send', { username: me, recipient: user, message: msg });
|
||||
});
|
||||
|
||||
$('btn-recv').addEventListener('click', () => {
|
||||
const me = $('chat-me').value;
|
||||
const user = $('chat-user').value;
|
||||
if (!user) {
|
||||
log('Enter a recipient username first', 'info');
|
||||
return;
|
||||
}
|
||||
sendRpc('receive', { recipient: user });
|
||||
if (!me) { log('Enter your username first', 'info'); return; }
|
||||
if (!user) { log('Enter a recipient username first', 'info'); return; }
|
||||
sendRpc('receive', { username: me, recipient: user });
|
||||
});
|
||||
</script>
|
||||
</body>
|
||||
|
||||
Reference in New Issue
Block a user