Skip to content

Minor fixes from AI audit#11406

Merged
alexb5dh merged 34 commits into
masterfrom
fix/ai-audit-1
May 8, 2026
Merged

Minor fixes from AI audit#11406
alexb5dh merged 34 commits into
masterfrom
fix/ai-audit-1

Conversation

@alexb5dh

@alexb5dh alexb5dh commented Apr 29, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Fixes for minor issues across different parts of codebase spotted by AI checks.

Changes

Medium

  • Constant-time comparison for MAC verification in FileKeyStore - during password validation.
  • Add missing return in one of the RlpDecoderExtensions.Encode - passing empty data could corrupt encoding.
  • Use long for "JsonRpcBytesSent*" metrics - int can overflow with just ~2GB of data.
  • Check for empty c3 in Shutter decoding - it also means encryption is invalid.
  • Add missing length and data validation in SSZ DecodeBool.
  • Properly escape id field for streamed RPC requests to prevent injection.

Low

  • Handle non-existent storage case in PatriciaTree.Accept - prevents potential IndexOutOfRangeException.
  • Fix validation order for flashbots_validateBuilderSubmissionV3 - returns correct error on invalid lengths.
  • Handle index out of bounds in TryGetCanonicalTransaction - prevents potential NullReferenceException.
  • Handle missing validator info in ValidatorStore - prevents potential IndexOutOfRangeException.
  • Tests for RLP ReadPrefixAndContentLength.
  • Regression tests for fixes.

Types of changes

What types of changes does your code introduce?

  • Bugfix (a non-breaking change that fixes an issue)

Testing

Requires testing

  • Yes

If yes, did you write tests?

  • Yes

alexb5dh added 27 commits April 1, 2026 13:09
@alexb5dh
Verify lengths in NewPooledTransactionHashesMessage
9071e88
@alexb5dh
Merge remote-tracking branch 'origin/master' into fix/rpc-limits
43ff2fc
@alexb5dh
Test for arrays length check
599753d
@alexb5dh
Merge branch 'master' into fix/rpc-limits
3765676
@alexb5dh
Code cleanup
78a8dcd
@alexb5dh
Merge branch 'security-master' into fix/rpc-limits
bceae3b
@alexb5dh
[C-03] Verify all lengths in ReadPrefixAndContentLength/`PeekPrefix…
9dfbbf2 
…AndContentLength`
@alexb5dh
[C-04] Constant-time comparison for MAC verification in FileKeyStore
3015aaf
@alexb5dh
[C-07] FrameMacProcessor.Dispose comment
b0cf1c1
@alexb5dh
[C-09] Non-existent storage handling in PatriciaTree.Accept
8d9e835
@alexb5dh
[C-10, C-11] Fix validation order for `flashbots_validateBuilderSubmi…
dfd4fdb 
…ssionV3`
@alexb5dh
[C-12] return false when receipt index out of bounds in `TryGetCano…
d0976a7 
…nicalTransaction`
@alexb5dh
Merge remote-tracking branch 'origin/master' into fix/rpc-limits
a48a1f7 
# Conflicts:
#	src/Nethermind/Nethermind.KeyStore/FileKeyStore.cs
#	src/Nethermind/Nethermind.Serialization.Rlp/RlpHelpers.cs
@alexb5dh
[U-05] Properly escape id for streamed RPC requests
9eb02b4
@alexb5dh
Merge branch 'security-master' into fix/rpc-limits
7e80d8a 
# Conflicts:
#	src/Nethermind/Nethermind.Runner/JsonRpc/Startup.cs
@alexb5dh
Limit protocol code length in HelloMessage
9ac6353
@alexb5dh
Build fix
23cc4c9
@alexb5dh
[C-16] Better handling for missing validator info in ValidatorStore
d16177e
@alexb5dh
[C-19] Check for empty c3 in Shutter decoding
a090ab9
@alexb5dh
[C-21] Use long for "JsonRpcBytesSent*" metrics
2e19295
@alexb5dh
[C-27] Add missing return in one of the RlpDecoderExtensions.Encode
0fa74a4
@alexb5dh
var fix
deb0da3
@alexb5dh
Revert redundant PeekLongPrefixAndContentLength changes
908174d
@alexb5dh
Adjust FrameMacProcessor.Dispose comment
2660679
@alexb5dh
Revert NewPooledTransactionHashesMessage length checks
517b5ff
@alexb5dh
Merge remote-tracking branch 'origin/master' into fix/rpc-limits
5825d84
@alexb5dh
Code cleanup
25e11af
claude[bot]
claude Bot reviewed Apr 29, 2026
View reviewed changes
Comment thread src/Nethermind/Nethermind.Serialization.Rlp/RlpDecoderExtensions.cs
claude[bot]
claude Bot reviewed Apr 29, 2026
View reviewed changes
Comment thread src/Nethermind/Nethermind.Facade/BlockchainBridge.cs
claude[bot]
claude Bot reviewed Apr 29, 2026
View reviewed changes
Comment thread src/Nethermind/Nethermind.Consensus.AuRa/Validators/ValidatorStore.cs
@alexb5dh alexb5dh marked this pull request as ready for review May 5, 2026 16:53
@claude

claude Bot commented May 5, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Claude finished @alexb5dh's task in 3m 51s —— View job

PR Review

  • Read agent rules and gather context
  • Review changed files and new SSZ additions
  • Check prior-review findings (were they addressed?)
  • Post final summary

Prior Findings — Resolution Status

All four findings from the previous review were addressed in the "More tests" commit (25aa9ff):

Finding Severity Status
RlpDecoderExtensions.cs — null-items regression test Medium ✅ Resolved — Encode_stream_with_null_items_produces_empty_list and Encode_object_with_null_items_produces_empty_list added in RlpTests.cs
BlockchainBridge.cs — receipt hash-mismatch path untested Low ✅ Resolved — get_transaction_returns_false_when_receipt_hash_mismatch added in BlockchainBridgeTests.cs
ValidatorStore.cs — throw path untested Low ✅ Resolved — GetValidators_throws_when_validator_info_missing_from_db added in ValidatorStoreTests.cs
JsonRpcSocketsClient.cs:156IncrementBytesReceivedMetric(int size) asymmetry Low ❌ Still open — explicitly acknowledged in prior review as follow-up

New Changes (since prior review)

[C-28, C-29] — SSZ DecodeBool validation

Ssz.BasicTypes.cs: The one-shot DecodeBool(Span<byte> span) now validates span.Length == 1 and rejects byte values other than 0/1 with a InvalidDataException. Correct.

Ssz.Decode.cs: The Decode(ReadOnlySpan<byte>, out bool) pattern uses the shared ValidateLength helper, consistent with all other scalar decoders in that file.

Note: the offset-based streaming overload DecodeBool(Span<byte> span, ref int offset) has no bounds check — intentional, matching the same design as DecodeByte(ReadOnlySpan<byte>, ref int) and other streaming decoders in this file. These trust the caller to pre-validate data length.

SszBasicTypeTests.cs: The -10/+1 delta removes an old hand-rolled test setup that is now redundant, while the consensus-test-based Boolean_invalid test suite covers the new validation. ✅

Remaining Issue

LowJsonRpcSocketsClient.cs:156

private void IncrementBytesReceivedMetric(int size) // ← int
private void IncrementBytesSentMetric(long size)     // ← long (fixed in this PR)

The underlying Metrics.JsonRpcBytesReceivedWebSockets field is long; Interlocked.Add(ref long, int) implicitly promotes, so no data loss occurs. Inbound WebSocket messages are bounded by MaxRequestBodySize (default 30 MB), making 2 GB overflow impossible in practice. This is a cosmetic asymmetry only, explicitly flagged as a "follow-up" item in the prior review.

Summary

All Medium and above findings have been resolved. The original security fixes (RPC ID injection, constant-time MAC comparison, Shutter c3 validation), correctness fixes (RLP null-items early-return, PatriciaTree empty-storage guard, Flashbots validation ordering, BlockchainBridge receipt mismatch), and network fix (HelloMessage protocol code length limit) are all sound. Tests have been added for every previously untested fix. The SSZ DecodeBool validation additions (C-28/C-29) are correct and consistent with the existing decoder style.

The one remaining Low finding (IncrementBytesReceivedMetric int parameter) is acknowledged, has no practical impact, and is suitable for a follow-up cleanup.

This PR is ready to merge.

LukaszRozmej
LukaszRozmej approved these changes May 6, 2026
View reviewed changes
Comment thread src/Nethermind/Nethermind.Runner/JsonRpc/Startup.cs Outdated
Comment thread src/Nethermind/Nethermind.Serialization.Ssz/Ssz.BasicTypes.cs
@alexb5dh alexb5dh merged commit af45402 into master May 8, 2026
660 of 663 checks passed
@alexb5dh alexb5dh deleted the fix/ai-audit-1 branch May 8, 2026 13:21
@alexb5dh alexb5dh mentioned this pull request May 12, 2026
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@claude claude[bot] claude[bot] left review comments

@flcl42 flcl42 flcl42 approved these changes

@LukaszRozmej LukaszRozmej LukaszRozmej approved these changes

@svlachakis svlachakis svlachakis approved these changes

@benaadams benaadams Awaiting requested review from benaadams benaadams is a code owner

@asdacap asdacap Awaiting requested review from asdacap asdacap is a code owner

@damian-orzechowski damian-orzechowski Awaiting requested review from damian-orzechowski damian-orzechowski is a code owner

@Marchhill Marchhill Awaiting requested review from Marchhill Marchhill is a code owner

@ak88 ak88 Awaiting requested review from ak88 ak88 is a code owner

@rubo rubo Awaiting requested review from rubo rubo is a code owner

@marcindsobczak marcindsobczak Awaiting requested review from marcindsobczak marcindsobczak is a code owner

@smartprogrammer93 smartprogrammer93 Awaiting requested review from smartprogrammer93 smartprogrammer93 is a code owner

Assignees

No one assigned

Labels

bug fix + reliability network rpc state+storage trie

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@alexb5dh @flcl42 @LukaszRozmej @svlachakis