development_bugsquash #36

Closed

thabeta wants to merge 21 commits from development_bugsquash into development

pull from: development_bugsquash

merge into: lhumina_code:development

lhumina_code:development

lhumina_code:development_security_fixes_v3

lhumina_code:development_audit

lhumina_code:main

Conversation 1 Commits 21 Files changed 18 +324 -68

thabeta commented 2026-02-26 14:11:48 +00:00

Owner

Copy link

addresses some of the concerns raised by opus feedback, this is by no means exhaustive nor 100% tested

addresses some of the concerns raised by opus feedback, this is by no means exhaustive nor 100% tested

thabeta added 21 commits 2026-02-26 14:11:48 +00:00

fix(credit): use unique storage prefixes for per-owner vectors ... 60348a7526

Address CRIT-02 by avoiding shared Vector prefixes in line and approval indexes.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(dns): restore state on failed GLD transfers ... ca31d25141

Address CRIT-03 by adding callbacks for refund and fee transfer failures.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(hosting): restrict SLA period settlement access ... 965fd42bba

Address CRIT-04 by requiring the committed node's farm owner to settle SLA periods.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(sdk): redact private key in Account debug/serialization ... daf7d498ee

Address CRIT-05 by implementing custom Debug redaction and skipping private key serialization.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(relayer): disable permissive CORS and bind localhost ... 7be38031c4

Address CRIT-07/HIGH-07 by removing Any-origin CORS and defaulting listener to 127.0.0.1.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(relayer): rate limit activation by client IP ... d6e8bcd622

Address CRIT-08 by using ConnectInfo<SocketAddr> and keying the limiter by source IP.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(rhai): remove unsafe env mutation for network selection ... a9db764f0a

Address CRIT-12 by replacing unsafe set_var with a scoped in-process network override.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(rhai): restrict env_var to HEROLEDGER_* keys ... e85c538e74

Address CRIT-10 by blocking arbitrary environment variable reads from Rhai scripts.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(rhai): disable shell command helpers by default ... b79f24bbe9

Address CRIT-01 by gating run_command and run_command_output behind HEROLEDGER_RHAI_ALLOW_SYSTEM=1.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(rhai): block filesystem probing helpers by default ... f8523c5512

Address CRIT-11 by gating expand_path/file_exists/dir_exists/which behind HEROLEDGER_RHAI_ALLOW_SYSTEM=1.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(sdk): zeroize key material on drop (CRIT-06) ... 926d7b75ee

Add zeroize dep and wrap private-key bytes/hex in Zeroizing<T> across vault.rs and mnemonic.rs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(cli): remove private key display in info command (HIGH-08) ... 8520a8d8de

Replace the panic-prone &key[..40] slice with a redacted placeholder.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(sdk): refuse to load validator key with unsafe permissions (HIGH-04) ... e0b0e2ccaa

Reject validator_key.json if mode bits allow group/other read (> 0600).

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(sporex): replace expect() with match in withdrawal callbacks (HIGH-03) ... 8c8591e8e7

Prevents callback panics on corrupted amount strings, preserving balance rollback.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(faucet): restrict fund_account to owner/allowed callers (HIGH-01) ... e785d00823

Add allowed_callers set; only owner or registered relayer accounts can call fund_account.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(rhai): add resource limits, fix panic on RPC errors, guard negative waits (HIGH-09, MED-21, MED-22) ... 28c9db759f

- Engine limits: 1M ops, depth 64, 1MiB strings, 100k arrays/maps
- block_height/hash/by_height/by_hash now return Result instead of panicking
- wait_seconds/wait_ms ignore negative values

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(rhai): redact private_key in Credentials Debug and Serialize (HIGH-10) ... 67f64eb405

Custom Debug impl, #[serde(skip_serializing)] on private_key field.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(rhai/admin): validate contract name to prevent path traversal (HIGH-11) ... 9ffcfe39b5

Names must be alphanumeric, hyphen or underscore only.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(provision): set 0600 permissions on validator_key.json after write (HIGH-12) ... 35ca6fdb91

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(provision): validate home_dir sentinel before remove_dir_all (MED-26) ... b085a63e28

Write .heroledger sentinel on init; refuse to wipe if absent.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

fix(js-client): remove secret key/seed logging and replace innerHTML with textContent (HIGH-16, HIGH-17) ... c3cf09e522

- mnemonic-account.ts: redact seed phrase and secret key from console output
- web-demo/main.ts: replace innerHTML with textContent to prevent XSS

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

thabeta requested reviews from lee, scott 2026-02-26 14:12:12 +00:00

scott commented 2026-03-02 19:40:11 +00:00

Member

Copy link

I'm implementing fixes independently. See: #35 (comment)

I'm implementing fixes independently. See: https://forge.ourworld.tf/lhumina_code/hero_ledger/pulls/35#issuecomment-9622

scott closed this pull request 2026-03-02 19:40:25 +00:00

Some checks failed

Hide all checks

Bootstrap Test / bootstrap (push) Failing after 6s

Details

Test / build-and-test (push) Successful in 5m7s

Details

Bootstrap Test / bootstrap (pull_request) Failing after 9s

Details

Test / build-and-test (pull_request) Successful in 5m53s

Details

Pull request closed

Please reopen this pull request to perform a merge.

Sign in to join this conversation.

Reviewers

No reviewers

lee

scott

Labels

Clear labels   

urgent

No labels

urgent

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

lhumina_code/hero_ledger!36

No description provided.