Skip to content

fix: harden validation and error handling (audit #18-#34)#35

Open
LKSNDRTMLKV wants to merge 6 commits into
mainfrom
fix/core-audit
Open

fix: harden validation and error handling (audit #18-#34)#35
LKSNDRTMLKV wants to merge 6 commits into
mainfrom
fix/core-audit

Conversation

@LKSNDRTMLKV

Copy link
Copy Markdown
Member

Summary

Hardening pass across dpp-core closing the open audit findings (#18#34). Every fix is defensive: malformed, adversarial, or out-of-bounds input that previously panicked, failed open, or silently mis-validated now fails closed with an explicit error. Each change ships with a regression test, and the full just check gate is green.

Fixes by crate

dpp-domain (#24) — patch_fields no longer bypasses the passport state machine; redact() fails closed instead of leaking confidential fields when a field is unknown; schema validation and catalog registration reject malformed input; semver parsed via semver::Version.

dpp-crypto (#22) — keystore decrypt returns Result on a malformed/legacy on-disk nonce instead of panicking.

dpp-rules (#21) — bundle verification returns an error on attacker-controlled non-finite JSON numbers instead of panicking; content hashing is now fallible.

dpp-digital-link (#23) — malformed/duplicate GS1 AI segments are rejected rather than silently mis-parsed; decoded values are length-capped.

dpp-registry (#27) — mandatory Article-13 identifier fields (operator name/country) can no longer be empty and still pass validate().

dpp-plugin-traits (#20) — the ABI result surfaces serialization errors instead of swallowing them; non-finite metrics become a hard serialization error; the version-range fallback no longer silently accepts non-semver strings.

dpp-plugin-sdk (#26) — raw ABI pointer math is guarded off wasm32; an oversized allocation request returns an error instead of panicking the instance; added optional_range / optional_non_negative helpers.

dpp-calc (#19) — the CO2e ruleset gains an effective-date guard (RulesetNotYetEffective), guards against silent overflow to Infinity, and corrects the contradictory expiry message.

Sector plugins (#18, #28#34) — furniture, aluminium, steel, electronics, detergent, tyre, textile, battery: each plugin now bounds-checks its metrics and validates its discriminating fields (productionRoute, tyreClass, fibre-composition sum, repairability/CO2e bounds, biodegradable declaration, battery recycled-content scoping + chemistry-conflict) instead of falling through to the most permissive verdict.

Testing

just check green: fmt-check · clippy --workspace --all-targets -D warnings · debug-check · subjects-check · mod-rs-check · cargo nextest --workspace · audit, plus RUSTDOCFLAGS="-D warnings" cargo doc.

Note

Core issue #25 (dpp-evidence transfer/kid verification) is intentionally not closed here — its fix lives in the dpp-engine PR (dpp-vault verification module).

Closes #18, #19, #20, #21, #22, #23, #24, #26, #27, #28, #29, #30, #31, #32, #33, #34

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

sector-furniture: co2e and repairability metrics accepted with no bounds check

1 participant