fix(fetchers): bound HN timestamp formatting by chaliy · Pull Request #109 · everruns/fetchkit

chaliy · 2026-05-17T16:45:53Z

The Hacker News fetcher deserializes time: Option<u64> and passed unchecked values into a year-subtraction formatter, which enables a CPU-bound denial-of-service for crafted large timestamps.
The change aims to prevent unbounded work by rejecting out-of-range timestamps before running the custom formatter.

Added MAX_UNIX_TIMESTAMP (3000-01-01T00:00:00Z) as an upper bound for accepted Unix timestamps.
Introduced format_unix_timestamp_bounded(ts) -> Option<String> which returns None for timestamps above the bound and otherwise delegates to the existing format_unix_timestamp.
Updated format_hn_response() to render Time metadata only when the bounded formatter returns Some(String).
Added test_format_unix_timestamp_bounded unit test to verify valid timestamps are formatted and extreme values (e.g., u64::MAX) are rejected.

Ran formatting: cargo fmt --all which completed successfully.
Ran targeted unit tests: cargo test -p fetchkit hackernews -- --nocapture, and the Hacker News tests passed (all relevant tests, including the new bounded-timestamp test, succeeded).

…hnitem

fix(fetchers): bound HN timestamp formatting

2178f5c

chaliy added codex aardvark labels May 17, 2026 — with ChatGPT Codex Connector

Merge branch 'main' into 2026-05-17-fix-unbounded-timestamp-issue-in-…

926680a

…hnitem

chaliy merged commit cf05874 into main May 17, 2026
11 checks passed

chaliy deleted the 2026-05-17-fix-unbounded-timestamp-issue-in-hnitem branch May 17, 2026 17:32

Provide feedback