Skip to content

fix: harden auth, validation, and sandboxing (audit #12-#23)#24

Open
LKSNDRTMLKV wants to merge 5 commits into
mainfrom
fix/engine-audit
Open

fix: harden auth, validation, and sandboxing (audit #12-#23)#24
LKSNDRTMLKV wants to merge 5 commits into
mainfrom
fix/engine-audit

Conversation

@LKSNDRTMLKV

Copy link
Copy Markdown
Member

Summary

Hardening pass across dpp-engine closing the open audit findings (#12#23). Same posture as the core pass: adversarial/malformed input that previously failed open, panicked, or bypassed a check now fails closed with an explicit error, each with a regression test. The full just check gate is green.

This PR contains only the audit fixes. An in-progress webhooks feature that happened to be in the working tree is deliberately excluded — see "Scope" below.

Fixes by area

Scope enforcement, end-to-end (#23, #21, #20, #18) — the central finding.

dpp-common (#13) — the request-ID middleware now matches its own application/problem+json error content-type (it never did), and oversized error bodies pass through with the id in the header instead of being silently emptied.

dpp-integrator (#12) — steel/aluminium/tyre importers validate the GTIN mod-10 checksum like the battery importer already did; a malformed vault response is no longer recorded as a successful create.

dpp-identity (#14) — internal mTLS endpoints require a shared-secret proxy binding instead of trusting client-supplied headers alone; key rotation aborts on archive failure instead of failing open; removed a dead per-operator DID route.

dpp-resolver (#15) — gtin/dppId are validated at the edge (closes an SSRF / path-traversal surface); the linkset base URL is a fixed constant instead of a tamperable qrCodeUrl-derived value (closes an open redirect).

dpp-seal (#16) — capabilities() reports no sealing support when no QTSP is configured, instead of advertising modes the adapter cannot actually deliver.

dpp-plugin-host (#17) — added the missing Wasm table-growth limiter; sandbox-breach metrics are classified from the trap rather than a spoofable message; the in-force compliance gate is applied on the previously-missed output path; unsigned plugins are refused unless explicitly opted in.

dpp-node (#19) — an EU-registry payload that fails validation is no longer sent anyway; the boot-time operator-country lookup surfaces DB errors instead of baking an empty country in for the process lifetime; fixed a token-expiry underflow panic.

odal CLI (#22) — byte-index slicing on untrusted UTF-8 no longer panics (char-safe truncation); the API secret for odal key use is read from a flag, ODAL_API_SECRET, or a no-echo prompt instead of being accepted as a plaintext argv argument.

dpp-evidence verification — also fixes odal-node/dpp-core#25 (its fix lives here, in dpp-vault): unsigned-but-completed transfer records now fail verification, and a present-but-unresolvable kid returns an accurate diagnosis instead of silently falling back to the primary key. (GitHub won't auto-close a cross-repo issue on merge — close dpp-core#25 manually.)

Scope — webhooks excluded

An unrelated, in-progress webhooks feature (28 modified files + 11 new files) was present in the working tree and is not part of this PR. The commit was assembled to contain only the 42 audit files and verified in isolation — just check was re-run green with the webhooks WIP stashed, so the gate reflects exactly what is committed here. That work continues separately on main.

Deferred follow-ups (not blockers)

Dependency / merge order

Builds against dpp-core fix/core-audit via the local [patch.crates-io]. Land the core PR and publish dpp-core 0.7.0 first, then this branch can pin dpp-* = 0.7.0 from the registry and drop the patch.

Testing

just check green: fmt-check · clippy --workspace --all-targets -D warnings · debug-check · subjects-check · mod-rs-check · cargo nextest --workspace · audit.

Closes #12, #13, #14, #15, #16, #17, #18, #19, #20, #21, #22, #23

@codacy-production codacy-production Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR is currently incomplete or mislabeled. While the title and description claim to implement extensive security hardening for audit findings #12 through #23—including authentication fail-closed logic, SQL injection prevention, and Wasm sandboxing—the provided code changes only consist of a version update for the 'reqwest' library in Cargo.toml. None of the eight acceptance criteria are met, and the regression tests mentioned in the description are entirely absent from the diff. This PR should not be merged until the promised implementation is included.

About this PR

  • The PR description mentions the inclusion of regression tests for each security fix, but no new test files or modifications to existing tests are present in the change set.
  • The implementation is missing all security hardening logic described in the PR summary. No code changes related to audit findings #12-#23 (such as mTLS endpoints, Wasm limiters, or GTIN validation) were found in the provided diff.

Test suggestions

  • Verify that an unrecognized API-key scope string defaults to 'Read' access.
  • Verify that LIKE-pattern injection attempts in dpp-dal passport queries are neutralized.
  • Confirm that Read-scoped keys are blocked from calling dpp-vault mutation handlers.
  • Validate GTIN mod-10 checksum enforcement for tyre and steel importers.
  • Verify Wasm table-growth limits prevent sandbox escapes or resource exhaustion.
  • Test that internal mTLS endpoints reject requests lacking the shared-secret proxy binding.
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify that an unrecognized API-key scope string defaults to 'Read' access.
2. Verify that LIKE-pattern injection attempts in dpp-dal passport queries are neutralized.
3. Confirm that Read-scoped keys are blocked from calling dpp-vault mutation handlers.
4. Validate GTIN mod-10 checksum enforcement for tyre and steel importers.
5. Verify Wasm table-growth limits prevent sandbox escapes or resource exhaustion.
6. Test that internal mTLS endpoints reject requests lacking the shared-secret proxy binding.

TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback

@codacy-production

codacy-production Bot commented Jul 13, 2026

Copy link
Copy Markdown

Not up to standards ⛔

🔴 Issues 4 high

Alerts:
⚠ 4 issues (≤ 0 issues of at least minor severity)

Results:
4 new issues

Category Results
Security 4 high

View in Codacy

🟢 Metrics 16 duplication

Metric Results
Duplication 16

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

dpp-integrator: steel/aluminium/tyre skip GTIN checksum validation; malformed vault response recorded as success

1 participant