fix(security): H1-H3 High findings from 2026-05-19 audit (supersedes #125)#167
Merged
Conversation
8 tasks
H1 - route WS chat.join/chat.send through asobi_chat_acl:authorized/2, the shared DM/world/group predicate the HTTP history endpoint already uses. Without it any authenticated player could join dm:<a>:<b> and eavesdrop. ACL logic extracted from asobi_chat_controller into asobi_chat_acl and consumed by both paths. H2 - asobi_body_cap_plugin rejects HTTP bodies > 1 MiB and chunked requests without content-length before nova_request_plugin buffers them into the heap. Wired as the first pre_request plugin. H3 - asobi_world_lobby:list_worlds_cached/0,1 caches world.list for 500ms via an ETS table owned by asobi_world_lobby_server, stopping a WS flood from fanning out synchronous get_info calls. find_or_create stays uncached. H4 (nova/cowlib bump) already landed on main independently - main is on cowlib 2.17.1, newer than this audit's 2.16.1 target, so the H4 rebar changes are intentionally dropped.
Review of the H1-H3 re-land (asobi-architecture-guardian,
beam-security-reviewer, erlang-code-reviewer) surfaced two defects in the
fixes themselves plus test gaps:
H3 (High) - the cache was keyed on the raw, attacker-controlled filter
map. `mode` is unbounded, so a client cycling distinct modes forced a
miss on every request (defeating the cache) and grew the ETS table
without bound - a new memory-DoS inside a DoS mitigation. Now keyed on
the has_capacity boolean only (<=2 rows); mode is applied in-memory on
the cached list. Also bound `mode` to 64 bytes in the HTTP controller to
match the WS path.
H3 (Low, defence-in-depth) - cache table was `public`; any in-node
process could poison the shared world list. Now `protected` and written
only by asobi_world_lobby_server via a new cache_worlds/3 cast; callers
still read directly.
H2 (Medium) - reject/4 returned {break,...}, which nova maps to a
2-tuple {ok,Req} that cowboy's stream handler has no clause for ->
case_clause crash of the request process on every 411/413 (log/CPU
amplification). Now returns {stop,...}, which cowboy handles cleanly.
Tests: cache tests rewritten for the bounded-key scheme incl. a
distinct-modes-do-not-grow-table assertion; body-cap tests assert {stop};
new asobi_chat_ws_SUITE covers the H1 WS wiring end-to-end (third-party
dm join/send rejected, member join allowed).
Fixed a Unicode 'x' in a doc comment (ASCII only).
c42467a to
bb24598
Compare
This was referenced Jul 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Re-lands the three unmerged High findings from the 2026-05-19 security audit (report kept internal, not in this public repo). Supersedes #125, which was 8 weeks stale.
Why not just merge #125
H4 (nova/cowlib bump) already landed on main independently — main is on
cowlib 2.17.1, newer than #125's2.16.1target, so merging #125 as-is would have downgraded cowlib. H4 is dropped here; H1/H2/H3 were still genuinely open and are re-landed on current main.Findings fixed
chat.join/chat.sendnow enforceasobi_chat_acl:authorized/2(the shared dm/world/group predicate the HTTP history path already used). Previously WS join only validated the channel-id shape, so any authenticated player could joindm:<a>:<b>and eavesdrop. ACL logic extracted fromasobi_chat_controllerintoasobi_chat_acl, consumed by both paths.asobi_body_cap_plugin(firstpre_requestplugin) rejects bodies > 1 MiB and chunked-without-content-length beforenova_request_pluginbuffers them into the heap.asobi_world_lobby:list_worlds_cached/0,1: a 500 ms cache overworld.listso a WS flood can't fan out synchronousget_info/1calls per running world.find_or_createstays uncached (TOCTOU serialization preserved).Review-driven hardening (3-agent gate: architecture-guardian → beam-security-reviewer → erlang-code-reviewer)
The review caught defects in the fixes themselves, all addressed:
modeis unbounded → a client cycling modes forced a miss every request (cache = no-op vs an attacker) and grew the ETS table without bound (a new memory-DoS inside a DoS mitigation). Now keyed on thehas_capacityboolean only (≤2 rows),modeapplied in-memory;modealso bounded to 64 B in the HTTP controller to match the WS path.reject/4returned{break,…}, which nova maps to a 2-tuple{ok,Req}that cowboy's stream handler has no clause for →case_clausecrash of the request process on every 411/413 (log/CPU amplification). Now returns{stop,…}.public(any in-node process could poison it). Nowprotected, written only byasobi_world_lobby_servervia acache_worlds/3cast; callers still read directly.Known / deferred
require_content_length => true, an HTTP/2 client sending a POST without content-length gets 411. First-party SDKs send content-length; flagged as a conscious config choice.Test plan
rebar3 fmt --check✓ ·xref✓ ·dialyzer✓elp eqwalize✓ (all changed modulesNO ERRORS)elp lint✓ (no findings in changed files)rebar3 eunit— 324 tests, 0 failuresrebar3 ct— 249 tests, 0 failures (incl. newasobi_chat_ws_SUITEcovering the H1 WS wiring end-to-end: third-party dm join/send rejected, member join allowed)