Skip to content

fix: WebSocket unwrap panic and use OsRng for crypto (#128, #130) #152

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
0xMuang merged 1 commit into from
Jan 26, 2026
Merged

fix: WebSocket unwrap panic and use OsRng for crypto (#128, #130) #152

0xMuang merged 1 commit into from
Jan 26, 2026
+31 −11

Conversation

@0xMuang
Copy link
Collaborator

@0xMuang 0xMuang commented Jan 26, 2026

Summary

Changes

pubsub.rs (Issue #128)

Replaced 5 occurrences of panic-prone code:

// Before (can panic)
sink.send(jsonrpsee::SubscriptionMessage::from_json(&msg).unwrap()).await

// After (graceful error handling)
let Ok(sub_msg) = jsonrpsee::SubscriptionMessage::from_json(&msg) else {
    warn!("Failed to serialize message for subscription {}", sub_id);
    continue;
};
sink.send(sub_msg).await

cipher.rs & kdf.rs (Issue #130)

Changed random number generator for cryptographic operations:

// Before
rand::thread_rng().fill_bytes(&mut data);

// After
OsRng.fill_bytes(&mut data);

OsRng directly uses the operating system's cryptographically secure random number generator, which is the recommended practice for generating cryptographic material like IVs and salts.

Test Plan

  • cargo check passes

Closes #128
Closes #130

@0xMuang
fix: WebSocket unwrap panic and use OsRng for crypto (#128, #130)
0490a19 
- Replace .unwrap() with let-else pattern in WebSocket subscription
  handlers to prevent panics on JSON serialization errors (#128)
- Use OsRng instead of thread_rng for IV and salt generation
  for better cryptographic security (#130)
@qj0r9j0vc2 qj0r9j0vc2 assigned qj0r9j0vc2 and 0xMuang and unassigned qj0r9j0vc2 Jan 26, 2026
@qj0r9j0vc2 qj0r9j0vc2 self-requested a review January 26, 2026 13:41
@0xMuang 0xMuang merged commit 23dc4a6 into main Jan 26, 2026
9 checks passed
@0xMuang 0xMuang mentioned this pull request Jan 26, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@qj0r9j0vc2 qj0r9j0vc2 qj0r9j0vc2 approved these changes

Assignees

@0xMuang 0xMuang

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Crypto] Use explicit OsRng for IV and salt generation [Bug] Unwrap in WebSocket subscription handlers can crash service

3 participants

@0xMuang @qj0r9j0vc2