fix(share): validate imported tombstones#135
Conversation
Co-authored-by: Brendan <brendan@grant.lan>
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 39bfdd0763
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| if err := validateSnapshotRow(table, row); err != nil { | ||
| return false, err | ||
| } |
There was a problem hiding this comment.
Validate tombstones on the incremental path too
This installs the new validator for full replacement imports, but the normal MergeIfChanged path still uses snapshot.ImportIncremental with a filter that only skips DMs, and importMergeSnapshotRow/upsertMergeSnapshotRow do not call validateSnapshotRow. When a changed-tail snapshot is applied through MergeIfChanged, a malformed or non-string messages.deleted_at can still be written to the archive before any error, so the main supported update path remains unprotected. Please run the same validation from the incremental filter or import row hook as well.
Useful? React with 👍 / 👎.
|
Codex review: needs changes before merge. Reviewed July 17, 2026, 3:56 AM ET / 07:56 UTC. Summary Reproducibility: yes. at source level: apply a changed-tail snapshot containing a malformed or non-string Review metrics: 2 noteworthy metrics.
Root-cause cluster Members:
Proposal only: this assessment does not dispatch repair, suppress jobs, mutate sibling items, close, or merge anything. Merge readiness Overall follows the weaker of proof and patch quality, so missing proof can cap an otherwise strong patch. Rank-up moves:
Next step before merge
Security Review findings
Review detailsBest possible solution: Run one shared tombstone validator at the pre-mutation boundary used by replacement, legacy, and incremental snapshot engines, with a changed-tail regression proving malformed rows fail without altering the archive. Do we have a high-confidence way to reproduce the issue? Yes at source level: apply a changed-tail snapshot containing a malformed or non-string Is this the best way to solve the issue? No. The validator itself is appropriately narrow, but installing it only on replacement and legacy imports leaves the normal incremental path inconsistent; all supported import engines should share the same pre-insert validation. Full review comments:
Overall correctness: patch is incorrect AGENTS.md: not found in the target repository. Codex review notes: model internal, reasoning high; reviewed against 91aa80d2f826. Label changesLabel changes:
Label justifications:
Evidence reviewedAcceptance criteria:
What I checked:
Likely related people:
What the crustacean ranks mean
Shiny media proof means a screenshot, video, or linked artifact directly shows the changed behavior. Runtime, network, CSP, and security claims still need visible diagnostics. How this review workflow works
|
Summary
messages.deleted_atbefore either supported SQLite snapshot import path mutates the archive.Extracted from the generic SQLite/tombstone hardening in #131. Thanks @GrantTheAssistant; contributor credit is preserved in the commit and changelog.
Proof
go test ./... -count=1go test -race ./internal/share -count=1golangci-lint run ./...go vet ./...staticcheck ./...gosec -exclude=G101,G115,G202,G301,G304 ./...govulncheck ./...go mod verifygo mod tidy -diffThe regression exercises valid nanosecond tombstones, null/empty compatibility, malformed timestamp rejection, non-string rejection, and table scoping. Full share integration tests exercise both import engines with the validator installed at their pre-insert boundary.