Skip to content

security: harden dynamic pipeline source resolvers#96

Merged
mostafa merged 6 commits into
mainfrom
security/dynamic-pipelines-audit
May 8, 2026
Merged

security: harden dynamic pipeline source resolvers#96
mostafa merged 6 commits into
mainfrom
security/dynamic-pipelines-audit

Conversation

@mostafa
Copy link
Copy Markdown
Member

@mostafa mostafa commented May 8, 2026
edited
Loading

Summary

  • Add 10 MB response body size limit to HTTP source resolver via chunked reads with early Content-Length rejection
  • Add execution timeout (default 30s, configurable via DynamicSource.timeout) and 10 MB stdout cap to command source resolver, killing the child on overflow
  • Add 10 MB payload size check to NATS source in both initial subscription and push message paths
  • Clamp refresh interval to a 1-second floor to prevent hot CPU loops, with a warning log when clamped
  • Add ResourceLimit error variant to SourceErrorKind and handle it in the instrumented resolver metrics

Test plan

  • cargo clippy --workspace --all-targets --all-features -- -D warnings passes
  • cargo fmt --all -- --check passes
  • New test: command timeout kills child process within 100ms
  • New test: command stdout cap rejects output exceeding 100-byte limit
  • New test: NATS payload over 10 MB rejected with ResourceLimit
  • New test: NATS payload under 10 MB accepted
  • Existing integration tests updated for new timeout parameter
  • CI passes on all platforms

mostafa added 6 commits May 8, 2026 19:16
@mostafa
security: add HTTP response body size limit (10 MB cap)
8bdd445 
Replace unbounded `response.text()` with chunked `read_body_capped()`
that enforces a configurable maximum body size (default 10 MB). Also
checks Content-Length early when the header is present.

Adds shared constants `MAX_SOURCE_RESPONSE_BYTES` and
`MIN_REFRESH_INTERVAL` to the sources module, a new `ResourceLimit`
variant to `SourceErrorKind`, and handles it in the instrumented
resolver's metrics match.
@mostafa
security: add command execution timeout and stdout size limit
a3f114e 
Wrap child process I/O in `tokio::time::timeout` with a configurable
deadline (default 30s, forwarded from `DynamicSource.timeout`). Read
stdout incrementally and kill the child if it exceeds the 10 MB cap.
Stderr is capped at 64 KB for diagnostic messages.

Updates existing integration tests for the new timeout parameter.
@mostafa
security: add NATS message payload size limit (10 MB cap)
e4f42f5 
Check payload length against MAX_SOURCE_RESPONSE_BYTES before parsing
in both `resolve_nats_initial` and `parse_nats_message`. Rejects
oversized messages with a ResourceLimit error.
@mostafa
security: clamp refresh interval to minimum 1 second floor
fe9f46b 
Prevent hot CPU loops from sub-second refresh intervals by clamping
to MIN_REFRESH_INTERVAL (1s). Logs a warning when the configured
value is below the floor so operators know the effective interval.
@mostafa
test: add security hardening tests for resource limits
1f5ce90 
Cover command execution timeout (kills child on deadline), command
stdout size cap (ResourceLimit on overflow), and NATS payload size
rejection/acceptance. Makes resolve_command_with_limit public so
integration tests can exercise configurable limits.
@mostafa
fix: use powershell for Windows timeout test
be1fa86 
The `timeout` command requires an interactive console and exits
immediately when stdout is piped. Use `Start-Sleep` via powershell
instead, which blocks reliably in non-interactive contexts.
@mostafa mostafa merged commit a812187 into main May 8, 2026
10 checks passed
@mostafa mostafa deleted the security/dynamic-pipelines-audit branch May 8, 2026 17:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mostafa