Skip to content

Security: cap client onStatus AMF keys and recv_buffer staging#104

Draft
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-ea93
Draft

Security: cap client onStatus AMF keys and recv_buffer staging#104
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/application-security-review-ea93

Conversation

@cursor

@cursor cursor Bot commented Jul 12, 2026

Copy link
Copy Markdown
Contributor

Harden client onStatus parsing and recv_buffer staging cap

Open in Web View Automation 

View with Codesmith Autofix with Codesmith
Need help on this PR? Tag /codesmith with what you need. Autofix is disabled.

- Cap read_onstatus object keys at MAX_OBJECT_KEYS (256), matching
  read_connect and skip_value limits elsewhere in the AMF layer.
- Apply the same 8 MiB recv_buffer staging cap used on the server
  to Client::poll and recv_message so a malicious server cannot
  retain up to 64 MiB of incomplete wire data per connection.

Co-authored-by: Alexander Wagner <info@alexanderwagnerdev.com>
@coderabbitai

coderabbitai Bot commented Jul 12, 2026

Copy link
Copy Markdown

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 17017b74-91c2-46fb-a314-cea524654490

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch cursor/application-security-review-ea93

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant