Commit: 2f26d91 · Finding: SEC-V-02
Problem
MAX_DESER_SIZE = 256 * 1024 at crates/transport/src/lib.rs:32-36 is the only application-layer size gate for inbound messages. Once inside the envelope the inner payload can be anything that fits — a 256 KB body, a 256 KB emoji, a 256 KB description. There is also no cap on WireMessage::SyncBatch { events: Vec<Event> } at crates/common/src/wire.rs:25-28; a peer can stuff a single 256 KB batch with thousands of small events, all forwarded unconditionally by crates/worker/src/actors/network.rs:177-186.
Compounds with #189 (unbounded strings inside events).
Fix
- Tighten per-variant caps in
parse_server_message / unpack_wire: refuse any Message.body > (e.g.) 32 KB, reject SyncBatch.events.len() > 500, etc.
- Align
SyncBatch cap with the outbound limit at crates/client/src/listeners.rs:303.
- Consider introducing a per-variant
max_size() associated function on WireMessage.
Obvious? No — requires picking the caps deliberately. Not auto-PR'd.
Commit:
2f26d91· Finding:SEC-V-02Problem
MAX_DESER_SIZE = 256 * 1024atcrates/transport/src/lib.rs:32-36is the only application-layer size gate for inbound messages. Once inside the envelope the inner payload can be anything that fits — a 256 KBbody, a 256 KB emoji, a 256 KB description. There is also no cap onWireMessage::SyncBatch { events: Vec<Event> }atcrates/common/src/wire.rs:25-28; a peer can stuff a single 256 KB batch with thousands of small events, all forwarded unconditionally bycrates/worker/src/actors/network.rs:177-186.Compounds with #189 (unbounded strings inside events).
Fix
parse_server_message/unpack_wire: refuse anyMessage.body> (e.g.) 32 KB, rejectSyncBatch.events.len()> 500, etc.SyncBatchcap with the outbound limit atcrates/client/src/listeners.rs:303.max_size()associated function onWireMessage.Obvious? No — requires picking the caps deliberately. Not auto-PR'd.