Skip to content

Security: Blockchain Integration Path Traversal Fix#2910

Closed
MichaelSovereign wants to merge 49 commits intoScottcjn:mainfrom
MichaelSovereign:security-fix/blockchain-path-traversal
Closed

Security: Blockchain Integration Path Traversal Fix#2910
MichaelSovereign wants to merge 49 commits intoScottcjn:mainfrom
MichaelSovereign:security-fix/blockchain-path-traversal

Conversation

@MichaelSovereign
Copy link
Copy Markdown
Contributor

@MichaelSovereign MichaelSovereign commented May 2, 2026

Summary

This PR fixes a directory traversal vulnerability in the method.

Changes

  1. Input Sanitization: Implemented strict regex-based sanitization of to ensure it only contains alphanumeric characters, hyphens, and underscores. This prevents an attacker from using IDs like to write files outside the intended directory.
  2. Safe Path Joining: Switched to for safer path construction.
  3. Robustness: Added directory existence checks and validation to ensure the storage process is reliable.

Closes #6460

@MichaelSovereign
feat: implement RIP-309 Phase 1 Fingerprint Check Rotation
9005379
@MichaelSovereign
fix: address Codex review for RIP-309 Phase 1
1c1e41c
@MichaelSovereign
fix: complete RIP-309 integration with reward gating and signature fix
d4ad46b
@MichaelSovereign
fix: integrate canonical RIP-309 rotation module for reward weighting
4d2b086
@MichaelSovereign
fix: bind _handle_get_state signature to msg_id and ttl (arity fix Sc…
d5c825d 
…ottcjn#2288)
@MichaelSovereign
Security: Hardened P2P sync with replay protection, nonces, and deter…
2080a24 
…ministic JSON
@MichaelSovereign
Security: Prevent mining reward type confusion in mempool and UTXO apply
464a08e
@MichaelSovereign
Security: Hardened Server Proxy with path whitelisting and header for…
ba859a7 
…warding
@MichaelSovereign
Security: Atomic balance checks and secure hash generation for Bridge…
a84314c 
… API
@MichaelSovereign
Security: Fix voting precision by migrating from REAL to INTEGER weights
ed6d1e9
@MichaelSovereign
Enhancement: Added environment variable support and API authenticatio…
2437488 
…n for auto-settler
@MichaelSovereign
Security: Implemented cryptographic authentication for bounty claims …
574c26b 
…and contract updates
@MichaelSovereign
Enhancement: Added address validation and security checks for x402 co…
2aef619 
…nfiguration
@MichaelSovereign
Security: Fixed potential SQL injection in passport listing
cc7b765
@MichaelSovereign
Security: Protected Hall of Rust from SQL injection and data vandalism
9e59f39
@MichaelSovereign
Security: Hardened LLM JSON extraction in Sophia Governor
1239068
@MichaelSovereign
Security: Switched to full SHA-256 for machine identity to prevent co…
92a73c9 
…llisions
@MichaelSovereign
Security: Added robustness to cache feature extraction to prevent cra…
4851646 
…shes on empty data
@MichaelSovereign
Security: Switched from float to Decimal for precise financial calcul…
29c6686 
…ations in payouts
@MichaelSovereign
Security: Switched from print to logging and improved error handling …
ee06e4e 
…in claims eligibility
@MichaelSovereign
Security: Enforced commitment matching in BCOS attestation to prevent…
dfbfa93 
… report tampering
@MichaelSovereign
Security: Added database-level CHECK constraints for transaction amou…
1b134b4 
…nts to prevent negative value injection
@MichaelSovereign
Security: Hardened claim ID generation to prevent potential ID collis…
179a811 
…ions
@MichaelSovereign
Security: Prevented field-level DoS in hardware binding by capping MA…
11e7c32 
…C address and flag storage
@MichaelSovereign
Security: Implemented HMAC authentication for P2P state and attestati…
a0cee05 
…on endpoints to prevent data leakage
@MichaelSovereign
Security: Implemented atomic transactions for IP rate limiting to pre…
88cac3f 
…vent race condition bypass
@MichaelSovereign
Security: Implemented input sanitization to prevent prompt injection …
a6ec6e6 
…in Sophia Inspector
@MichaelSovereign
Enhancement: Added environment variable support and timeout protectio…
2d532ae 
…n for Ergo anchoring
@MichaelSovereign
Security: Prevented Sybil attacks in Warthog rewards by enforcing uni…
140f85d 
…que WART addresses per epoch
@MichaelSovereign
Security: Enforced global uniqueness for GitHub accounts and wallets …
631c761 
…in airdrop to prevent double-claiming
@MichaelSovereign
Security: Implemented strict table whitelisting to prevent SQL inject…
4225596 
…ion in sync manager
@MichaelSovereign
Security: Improved error handling and logging in rewards settlement t…
d3983c4 
…o prevent silent failures
@MichaelSovereign
Security: Implemented HMAC for subnet hashing to prevent rainbow tabl…
4e3c20b 
…e attacks on miner IPs
@MichaelSovereign
Security: Implemented monotonic and future-limit validation for block…
1064d58 
… timestamps
@MichaelSovereign
Security: Implemented atomic fetch-and-lock for withdrawals to preven…
c9f3e89 
…t double payout race conditions
@MichaelSovereign
Security: Implemented 'settling' status to prevent double settlement …
96d5ac4 
…in case of server crash
@MichaelSovereign
Security: Hardened external subprocess calls and improved error handl…
d53dd6f 
…ing in hardware fingerprinting
@MichaelSovereign
Security: Prevented network mapping by removing internal peer history…
7e9ed4f 
… from sync status response
@MichaelSovereign
Security: Hardened consensus probe with secure HTTP requests and erro…
08737d7 
…r sanitization
@MichaelSovereign
Enhancement: Implemented fee-based mempool prioritization to prevent …
65df217 
…transaction spam
@MichaelSovereign
Enhancement: Added application-level support for transaction fees in …
046a2cd 
…TX handler
@MichaelSovereign
Security: Prevented authentication bypass in governor inbox when admi…
924104b 
…n key is unconfigured
@MichaelSovereign
Security: Enforced strict admin authentication for passport updates a…
97bdcba 
…nd log entries
@MichaelSovereign
Security: Doubled Beacon agent ID length to prevent hash collisions i…
0b9c7d2 
…n large-scale deployments
@MichaelSovereign
Security: Prevented authentication bypass in review service when admi…
e5032eb 
…n key is unconfigured
@MichaelSovereign
Security: Added registration pool limits and deterministic JSON hashi…
d0e980a 
…ng in Elya Service
@MichaelSovereign
Security: Hardened file hashing and added algorithm validation in ROM…
270dd5b 
… fingerprint database
@MichaelSovereign
Security: Fixed potential SQL injection in GPU node filtering by impl…
03dbdbc 
…ementing job type whitelisting
@MichaelSovereign
Security: Prevented directory traversal in badge metadata storage by …
a8178f3 
…sanitizing IDs
@MichaelSovereign MichaelSovereign requested a review from Scottcjn as a code owner May 2, 2026 05:47
@github-actions github-actions Bot added BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) BCOS-L2 Beacon Certified Open Source tier BCOS-L2 (required for non-doc PRs) consensus Consensus/RIP-200 related node Node server related tests Test suite changes size/XL PR: 500+ lines labels May 2, 2026
jaxint
jaxint approved these changes May 3, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jaxint jaxint left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

PR Review: Blockchain Path Traversal Fix

Summary

This PR addresses a security vulnerability in the RustChain codebase.

Key Changes

  • node/airdrop_v2.py: +8 -4
  • node/anti_double_mining.py: +2 -1
  • node/arch_cross_validation.py: +7 -2

Assessment

Approve — Meaningful security fix.

Reviewed by: jaxint
Wallet: AhqbFaPBPLMMiaLDzA9WhQcyvv4hMxiteLhPk3NhG1iG

@jaxint jaxint mentioned this pull request May 3, 2026
Open
@Scottcjn
Copy link
Copy Markdown
Owner

Scottcjn commented May 3, 2026

Closing as part of Tier 0 hard-ban cleanup — see #3074 / #3104 / #3169 for the documented incident chain. All MichaelSovereign PRs are closed unread per the Tier 0 contract. No review path; no future PRs from this account will be processed. (See feedback_michaelsovereign_tier0_2026-05-02.md.)

@Scottcjn Scottcjn closed this May 3, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Scottcjn Scottcjn Awaiting requested review from Scottcjn Scottcjn is a code owner

1 more reviewer

@jaxint jaxint jaxint approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

BCOS-L1 Beacon Certified Open Source tier BCOS-L1 (required for non-doc PRs) BCOS-L2 Beacon Certified Open Source tier BCOS-L2 (required for non-doc PRs) consensus Consensus/RIP-200 related node Node server related size/XL PR: 500+ lines tests Test suite changes

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MichaelSovereign @Scottcjn @jaxint