fix(drive): prevent overflow in SetPrices direct purchase pricing#3292
Conversation
Add unit tests proving that unchecked multiplication in the SetPrices pricing branch of token direct purchase wraps on overflow, allowing an attacker to pay almost nothing. The SinglePrice branch correctly uses saturating_mul but SetPrices uses bare `*` operator. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Warning Rate limit exceeded
⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
📝 Coding Plan
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## v3.1-dev #3292 +/- ##
============================================
- Coverage 70.42% 68.28% -2.15%
============================================
Files 3293 3293
Lines 262598 262666 +68
============================================
- Hits 184935 179349 -5586
- Misses 77663 83317 +5654
🚀 New features to boost your workflow:
|
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Summary
checked_mulinSetPricesdirect purchase pricingIssue
Security audit found that
*matched_price * token_countin theSetPricesbranch uses bare multiplication. In release builds, this silently wraps around, allowing an attacker to pay almost nothing for tokens. TheSinglePricebranch already usessaturating_mul.Test plan
🤖 Generated with Claude Code