prisma-risk / tsoracle / 26692240433

95%

push

github

fix(seq): re-validate SeqKey on serde deserialize and dense snapshot restore (#596)

`SeqKey` documents `try_new` as the single validation site, but the derived
`Deserialize` constructed the inner `String` directly and bypassed the
non-empty / `<= MAX_SEQ_KEY_LEN` invariant. A crafted or corrupted postcard
payload could therefore land an empty or oversized key in the openraft
`AdvanceDense` log command or the dense snapshot map.

Restore the guarantee fail-loud (matching the codebase's framed-codec
discipline), at both construction sites the honest serving path never reaches
but a malicious mTLS peer or on-disk corruption could:

- tsoracle-core: replace SeqKey's derived serde with hand-written impls that
  route `Deserialize` through `try_new` (mirroring `PeerEndpoint`). `Serialize`
  emits the bare string, so the wire/on-disk byte layout is unchanged for valid
  keys. This covers the log path: `AdvanceDense`'s embedded `SeqKey` now fails
  loud at `decode_entry`.
- tsoracle-driver-openraft: validate every dense key in `install_snapshot`
  before the active-write-version bump and persist, so a rejected install
  leaves store and in-memory state untouched. The snapshot stores raw `String`
  keys, which bypass SeqKey's validating `Deserialize`.

Regression tests cover empty and oversized keys at all three layers
(SeqKey postcard decode, AdvanceDense decode, install_snapshot) plus
valid round-trips. Closes #593.

Signed-off-by: Sebastian Thiebaud <sebastian@prismarisk.com>

125 of 129 new or added lines in 3 files covered. (96.9%)

15854 of 16645 relevant lines covered (95.25%)

349224.51 hits per line