Fix lightfuzz envelope cross-contamination between submodules

[liquidsec]

Lightfuzz Envelope Contamination Bug: Root Cause and Fix

Lightfuzz submodules (SQLi, CMDi, XSS, crypto, etc.) execute sequentially against the same event. When a parameter value is wrapped in an encoding layer (hex, Base64, etc.), the envelope system transparently encodes and decodes probe values so fuzzing occurs inside the encoding.

Problem

outgoing_probe_value() encoded probes using:

set_subparam() + pack()

This process mutated the envelope’s internal state.

Failure sequence

1. The SQLi module sent ' OR 1=1-- through the envelope.
2. The envelope stored this payload as the parameter value.
3. The CMDi module read the mutated value instead of the original.
4. By the time later modules ran, the "original" value had been fully contaminated by prior payloads.

Root Cause

Envelope packing was stateful. Encoding a probe altered the stored parameter value, causing cross-module contamination.

Fix

A new method was added:

pack_value()

Behavior

• Encodes a value through the full envelope chain
• Supports nested encodings
• Does not modify internal state

outgoing_probe_value() now uses pack_value() instead of the mutating set_subparam() + pack() pattern.

Result

• Each submodule receives the correct original value
• Probe encoding remains accurate
• Module isolation is preserved

Test Coverage Improvements

New tests enable all submodules simultaneously to verify envelope isolation.

Previously, tests only exercised a single submodule at a time, allowing this issue to go undetected.

[github-actions]

📊 Performance Benchmark Report

Comparing dev (baseline) vs lightfuzz-bugfix (current)

📈 Detailed Results (All Benchmarks)

📋 Complete results for all benchmarks - includes both significant and insignificant changes

🧪 Test Name	📏 Base	📏 Current	📈 Change	🎯 Status
Bloom Filter Dns Mutation Tracking Performance	4.22ms	4.17ms	-1.1% ⚪	✅
Bloom Filter Large Scale Dns Brute Force	17.89ms	17.54ms	-2.0% ⚪	✅
Large Closest Match Lookup	357.50ms	351.21ms	-1.8% ⚪	✅
Realistic Closest Match Workload	196.54ms	196.64ms	+0.1% ⚪	✅
Event Validation Full Scan Startup Small Batch	478.40ms	481.34ms	+0.6% ⚪	✅
Event Validation Full Scan Startup Large Batch	818.17ms	837.29ms	+2.3% ⚪	✅
Make Event Autodetection Small	31.02ms	31.03ms	+0.0% ⚪	✅
Make Event Autodetection Large	316.29ms	318.51ms	+0.7% ⚪	✅
Make Event Explicit Types	13.95ms	14.09ms	+1.0% ⚪	✅
Excavate Single Thread Small	4.024s	4.026s	+0.0% ⚪	✅
Excavate Single Thread Large	10.025s	9.961s	-0.6% ⚪	✅
Excavate Parallel Tasks Small	4.222s	4.163s	-1.4% ⚪	✅
Excavate Parallel Tasks Large	7.358s	7.311s	-0.6% ⚪	✅
Is Ip Performance	3.26ms	3.17ms	-2.6% ⚪	✅
Make Ip Type Performance	11.42ms	11.39ms	-0.2% ⚪	✅
Mixed Ip Operations	4.63ms	4.54ms	-2.0% ⚪	✅
Typical Queue Shuffle	62.45µs	62.13µs	-0.5% ⚪	✅
Priority Queue Shuffle	705.07µs	723.40µs	+2.6% ⚪	✅

🎯 Performance Summary

✅ No significant performance changes detected (all changes <10%)

---

🐍 Python Version 3.11.14

[codecov]

Codecov Report

❌ Patch coverage is 98.57143% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 92%. Comparing base (4b2d721) to head (06d806a).
⚠️ Report is 5 commits behind head on dev.

Files with missing lines	Patch %	Lines
bbot/core/helpers/web/envelopes.py	95%	1 Missing ⚠️

Additional details and impacted files

@@          Coverage Diff          @@
##             dev   #2910   +/-   ##
=====================================
+ Coverage     92%     92%   +1%     
=====================================
  Files        416     416           
  Lines      34399   34467   +68     
=====================================
+ Hits       31357   31420   +63     
- Misses      3042    3047    +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.