Skip to content

Security Hardening & Documentation Refresh #1200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 6 commits into
base: adv/docs
Choose a base branch
from
Draft

Security Hardening & Documentation Refresh #1200

wants to merge 6 commits into from

Conversation

peter-lawrey
Copy link
Member

@peter-lawrey peter-lawrey commented Jun 3, 2025
edited
Loading

A security-focused hardening sweep for Chronicle Wire and adds the contributor guidance needed to keep it that way.

πŸ“š Docs & Process

File Change
AGENTS.md Adds Security checklist section – every PR must: 1) run a security diff review, 2) forbid committing secrets, 3) document deliberate trade-offs.
src/main/adoc/security-review.adoc
index.adoc		 New AsciiDoc detailing known trade-offs (unsafe, field-less binary, TL caches, etc.) and links it from the doc index.

πŸ› οΈ Runtime Safeguards

Area What’s new Risk mitigated
Path traversal / SSRF MarshallableOutBuilder & FileMarshallableOut now reject file:// paths containing ..; HTTPMarshallableOut validates that the host is not local/site-local unless allowLocalhost() is explicitly enabled. Accidental or malicious file overwrite, internal network probes
Self-describing trivially-copyable objects Hard limit of 256 primitive fields per description; exceeding triggers IllegalStateException. CPU / OOM bombs, malformed-description memory corruption
ConfigLoader Rejects property-expansion values containing LF/CR to prevent YAML structure injection. Arbitrary YAML injection, config confusion
Builder opt-in MarshallableOutBuilder.allowLocalhost() flag to override SSRF check for trusted test rigs. Safer defaults
URL sanity check helper Centralised validation for file and HTTP builders. Consistency

πŸ§ͺ Tests

  • FileMarshallableOutValidationTest – path traversal rejection
  • MarshallableOutBuilderTest – SSRF guard + localhost opt-in
  • EmbeddedBytesMarshallableTest – field-count ceiling
  • ConfigLoaderInjectionTest – newline-injection rejection

@peter-lawrey peter-lawrey requested a review from tgd June 3, 2025 12:13
@peter-lawrey peter-lawrey changed the title Adv/sec Security Hardening & Documentation Refresh Jun 3, 2025
@peter-lawrey peter-lawrey marked this pull request as draft June 4, 2025 08:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tgd tgd Awaiting requested review from tgd

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@peter-lawrey