Skip to content

fix: harden auth, validation, and sandboxing (audit #12-#23)#24

Open
LKSNDRTMLKV wants to merge 8 commits into
mainfrom
fix/engine-audit
Open

fix: harden auth, validation, and sandboxing (audit #12-#23)#24
LKSNDRTMLKV wants to merge 8 commits into
mainfrom
fix/engine-audit

Conversation

@LKSNDRTMLKV

Copy link
Copy Markdown
Member

Summary

Hardening pass across dpp-engine closing the open audit findings (#12#23). Same posture as the core pass: adversarial/malformed input that previously failed open, panicked, or bypassed a check now fails closed with an explicit error, each with a regression test. The full just check gate is green.

This PR contains only the audit fixes. An in-progress webhooks feature that happened to be in the working tree is deliberately excluded — see "Scope" below.

Fixes by area

Scope enforcement, end-to-end (#23, #21, #20, #18) — the central finding.

dpp-common (#13) — the request-ID middleware now matches its own application/problem+json error content-type (it never did), and oversized error bodies pass through with the id in the header instead of being silently emptied.

dpp-integrator (#12) — steel/aluminium/tyre importers validate the GTIN mod-10 checksum like the battery importer already did; a malformed vault response is no longer recorded as a successful create.

dpp-identity (#14) — internal mTLS endpoints require a shared-secret proxy binding instead of trusting client-supplied headers alone; key rotation aborts on archive failure instead of failing open; removed a dead per-operator DID route.

dpp-resolver (#15) — gtin/dppId are validated at the edge (closes an SSRF / path-traversal surface); the linkset base URL is a fixed constant instead of a tamperable qrCodeUrl-derived value (closes an open redirect).

dpp-seal (#16) — capabilities() reports no sealing support when no QTSP is configured, instead of advertising modes the adapter cannot actually deliver.

dpp-plugin-host (#17) — added the missing Wasm table-growth limiter; sandbox-breach metrics are classified from the trap rather than a spoofable message; the in-force compliance gate is applied on the previously-missed output path; unsigned plugins are refused unless explicitly opted in.

dpp-node (#19) — an EU-registry payload that fails validation is no longer sent anyway; the boot-time operator-country lookup surfaces DB errors instead of baking an empty country in for the process lifetime; fixed a token-expiry underflow panic.

odal CLI (#22) — byte-index slicing on untrusted UTF-8 no longer panics (char-safe truncation); the API secret for odal key use is read from a flag, ODAL_API_SECRET, or a no-echo prompt instead of being accepted as a plaintext argv argument.

dpp-evidence verification — also fixes odal-node/dpp-core#25 (its fix lives here, in dpp-vault): unsigned-but-completed transfer records now fail verification, and a present-but-unresolvable kid returns an accurate diagnosis instead of silently falling back to the primary key. (GitHub won't auto-close a cross-repo issue on merge — close dpp-core#25 manually.)

Scope — webhooks excluded

An unrelated, in-progress webhooks feature (28 modified files + 11 new files) was present in the working tree and is not part of this PR. The commit was assembled to contain only the 42 audit files and verified in isolation — just check was re-run green with the webhooks WIP stashed, so the gate reflects exactly what is committed here. That work continues separately on main.

Deferred follow-ups (not blockers)

Dependency / merge order

Builds against dpp-core fix/core-audit via the local [patch.crates-io]. Land the core PR and publish dpp-core 0.7.0 first, then this branch can pin dpp-* = 0.7.0 from the registry and drop the patch.

Testing

just check green: fmt-check · clippy --workspace --all-targets -D warnings · debug-check · subjects-check · mod-rs-check · cargo nextest --workspace · audit.

Closes #12, #13, #14, #15, #16, #17, #18, #19, #20, #21, #22, #23

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

dpp-integrator: steel/aluminium/tyre skip GTIN checksum validation; malformed vault response recorded as success

1 participant