graphprotocol / indexer-rs / 21211641316
68%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 96
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 68.255% (+0.1%) from 68.133%
21211641316

push

github

web-flow 
 fix: TrustSec audit findings - Low severity batch (#905)

* fix(service): add configurable request body size limit (TRST-M-6)

Prevent DoS attacks via unbounded request buffering by adding a
configurable maximum request body size to the tap_context middleware.

Previously, `to_bytes(body, usize::MAX)` allowed attackers to send
arbitrarily large request bodies, potentially causing memory exhaustion.

Changes:
- Add `max_request_body_size` config option to ServiceConfig (default: 2MB)
- Introduce TapContextState to pass the limit to context_middleware
- Update middleware to enforce the configured body size limit
- Add test for oversized request rejection

* fix(config): correct unit conversion in trigger-value threshold validation (TRST-L-1)

The validation warnings for low trigger values and max_amount_willing_to_lose
were never triggering due to incorrect float-to-u128 conversion.

Previously, floating-point literals like `0.1` were converted to u128 via
`.to_u128()`, which truncates to 0 since u128 cannot represent fractions.
This meant comparisons like `trigger_value < 0` were always false.

Fix:
- Replace `0.1f64.to_u128()` with proper wei constant (0.1 GRT = 10^17 wei)
- Replace `0.001f64.to_u128()` with proper wei constant (0.001 GRT = 10^15 wei)
- Remove unused `FromStr` import

This only affects startup warnings, not runtime behavior. Operators with
misconfigured low values will now correctly receive warnings.

* fix(config): add zero-duration validation for timeouts and intervals

Add explicit validation to reject zero values for Duration configuration
fields that would cause incorrect behavior or system failures:

- subgraphs.escrow.syncing_interval_secs
- subgraphs.network.syncing_interval_secs
- tap.rav_request.request_timeout_secs
- tap.sender_timeout_secs
- subgraphs.network.recently_closed_allocation_buffer_secs

Note: timestamp_buffer_secs intentionally not validated as zero is a valid
(though not recommended) value meaning "no buffer"... (continued)

121 of 147 new or added lines in 5 files covered. (82.31%)

10284 of 15067 relevant lines covered (68.26%)

81.83 hits per line

New Missed Lines in Diff

Lines Coverage File
26
80.03
 -2.76% crates/config/src/config.rs
Jobs
ID Job ID Ran Files Coverage
1 21211641316.1 96
68.26
 GitHub Action Run
Source Files on build 21211641316