Commit f77dfbc
harden(#433): keyfile 0600-at-creation, remember input bounds, watcher symlink reject, doctor freshness
Defense-in-depth items from the 2026-07-03 CoS deep dive (v2.14.0). No
data-loss or default-build behavior change.
M1 — encryption keyfile permission race (main.rs keygen): the secret key was
written, then chmod'd 0600 in a second step, leaving a brief world-readable
window. Create the file with mode(0o600) via OpenOptions on Unix so the
permission is set at inode creation; keep the explicit set_permissions as a
defense-in-depth retighten for a pre-existing looser path.
L — remember input bounds (tools.rs handle_remember): cap category (256),
key (1024), and body_json (4 MiB). category/key are indexed, hashed for
identity, and fed to FTS, so an unbounded key was a DoS-via-huge-key vector.
Caps sit far above any legitimate use.
L — file-watcher symlink reject (connectors/file_watcher.rs): scan_dir used
is_dir()/is_file(), which follow symlinks — a symlink planted in a watched
dir could escape the configured root despite SECURITY.md's "paths
canonicalized" claim. Skip entries whose own file_type() is a symlink,
before any recursion or read.
N4 — doctor freshness/liveness (main.rs run_doctor): add a "last write N days
ago" line (WARN past 14d) read from plaintext timestamp columns via a
read-only connection (no encryption key needed), so a stale vault (harvest
stopped) is visible instead of silently reported healthy.
Not included here (tracked separately in #433):
* M2 (bind workspace_hash into the audit-chain hash) needs a chain-format
version bump + migration — it changes verify semantics for every existing
chain, so it's not a drop-in defense-in-depth patch.
* M3 (purge redaction workspace scoping) is already addressed by #417/#426:
the journal-redaction JOIN is workspace-scoped (JRN_MATCH), with the
residual default-workspace over-redaction documented and intentional
(GDPR: never under-redact).
* L dedup alloc bound: decode is already a bounded streaming decoder
(SigDecoder, bounded by cand_count) — no unbounded pre-alloc remains.
Tests: remember rejects oversized key/category + accepts normal; watcher
ingests regular files and (unix) skips a symlink escaping the root.
Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>1 parent a18c606 commit f77dfbc
3 files changed
Lines changed: 202 additions & 2 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
86 | 86 | | |
87 | 87 | | |
88 | 88 | | |
| 89 | + | |
| 90 | + | |
| 91 | + | |
| 92 | + | |
| 93 | + | |
| 94 | + | |
| 95 | + | |
| 96 | + | |
| 97 | + | |
| 98 | + | |
| 99 | + | |
| 100 | + | |
89 | 101 | | |
90 | 102 | | |
91 | 103 | | |
| |||
159 | 171 | | |
160 | 172 | | |
161 | 173 | | |
| 174 | + | |
| 175 | + | |
| 176 | + | |
| 177 | + | |
| 178 | + | |
| 179 | + | |
| 180 | + | |
| 181 | + | |
| 182 | + | |
| 183 | + | |
| 184 | + | |
| 185 | + | |
| 186 | + | |
| 187 | + | |
| 188 | + | |
| 189 | + | |
| 190 | + | |
| 191 | + | |
| 192 | + | |
| 193 | + | |
| 194 | + | |
| 195 | + | |
| 196 | + | |
| 197 | + | |
| 198 | + | |
| 199 | + | |
| 200 | + | |
| 201 | + | |
| 202 | + | |
| 203 | + | |
| 204 | + | |
| 205 | + | |
| 206 | + | |
| 207 | + | |
| 208 | + | |
| 209 | + | |
| 210 | + | |
| 211 | + | |
| 212 | + | |
| 213 | + | |
| 214 | + | |
| 215 | + | |
| 216 | + | |
| 217 | + | |
| 218 | + | |
| 219 | + | |
| 220 | + | |
| 221 | + | |
| 222 | + | |
| 223 | + | |
| 224 | + | |
| 225 | + | |
| 226 | + | |
| 227 | + | |
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
753 | 753 | | |
754 | 754 | | |
755 | 755 | | |
| 756 | + | |
| 757 | + | |
| 758 | + | |
| 759 | + | |
| 760 | + | |
| 761 | + | |
| 762 | + | |
| 763 | + | |
| 764 | + | |
| 765 | + | |
| 766 | + | |
| 767 | + | |
| 768 | + | |
| 769 | + | |
| 770 | + | |
| 771 | + | |
| 772 | + | |
| 773 | + | |
| 774 | + | |
| 775 | + | |
| 776 | + | |
| 777 | + | |
| 778 | + | |
| 779 | + | |
| 780 | + | |
| 781 | + | |
756 | 782 | | |
757 | 783 | | |
758 | 784 | | |
| |||
769 | 795 | | |
770 | 796 | | |
771 | 797 | | |
| 798 | + | |
| 799 | + | |
| 800 | + | |
| 801 | + | |
| 802 | + | |
| 803 | + | |
| 804 | + | |
| 805 | + | |
| 806 | + | |
| 807 | + | |
| 808 | + | |
| 809 | + | |
| 810 | + | |
| 811 | + | |
| 812 | + | |
| 813 | + | |
772 | 814 | | |
773 | 815 | | |
774 | 816 | | |
| |||
1181 | 1223 | | |
1182 | 1224 | | |
1183 | 1225 | | |
1184 | | - | |
| 1226 | + | |
| 1227 | + | |
| 1228 | + | |
| 1229 | + | |
| 1230 | + | |
| 1231 | + | |
| 1232 | + | |
| 1233 | + | |
| 1234 | + | |
| 1235 | + | |
| 1236 | + | |
| 1237 | + | |
| 1238 | + | |
| 1239 | + | |
| 1240 | + | |
| 1241 | + | |
| 1242 | + | |
| 1243 | + | |
| 1244 | + | |
| 1245 | + | |
| 1246 | + | |
| 1247 | + | |
| 1248 | + | |
| 1249 | + | |
1185 | 1250 | | |
1186 | | - | |
| 1251 | + | |
| 1252 | + | |
| 1253 | + | |
1187 | 1254 | | |
1188 | 1255 | | |
1189 | 1256 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
477 | 477 | | |
478 | 478 | | |
479 | 479 | | |
| 480 | + | |
| 481 | + | |
| 482 | + | |
| 483 | + | |
| 484 | + | |
| 485 | + | |
| 486 | + | |
| 487 | + | |
| 488 | + | |
| 489 | + | |
| 490 | + | |
| 491 | + | |
| 492 | + | |
| 493 | + | |
| 494 | + | |
| 495 | + | |
| 496 | + | |
| 497 | + | |
| 498 | + | |
| 499 | + | |
| 500 | + | |
| 501 | + | |
| 502 | + | |
| 503 | + | |
| 504 | + | |
| 505 | + | |
| 506 | + | |
| 507 | + | |
480 | 508 | | |
481 | 509 | | |
482 | 510 | | |
| |||
4607 | 4635 | | |
4608 | 4636 | | |
4609 | 4637 | | |
| 4638 | + | |
| 4639 | + | |
| 4640 | + | |
| 4641 | + | |
| 4642 | + | |
| 4643 | + | |
| 4644 | + | |
| 4645 | + | |
| 4646 | + | |
| 4647 | + | |
| 4648 | + | |
| 4649 | + | |
| 4650 | + | |
| 4651 | + | |
| 4652 | + | |
| 4653 | + | |
| 4654 | + | |
| 4655 | + | |
| 4656 | + | |
| 4657 | + | |
| 4658 | + | |
| 4659 | + | |
| 4660 | + | |
| 4661 | + | |
| 4662 | + | |
| 4663 | + | |
| 4664 | + | |
| 4665 | + | |
| 4666 | + | |
| 4667 | + | |
| 4668 | + | |
| 4669 | + | |
| 4670 | + | |
| 4671 | + | |
| 4672 | + | |
| 4673 | + | |
| 4674 | + | |
| 4675 | + | |
| 4676 | + | |
4610 | 4677 | | |
4611 | 4678 | | |
4612 | 4679 | | |
0 commit comments