Skip to content

security: input validation hardening (#854)#903

Merged
bug-ops merged 3 commits intomainfrom
feat/854-input-validation
Feb 25, 2026
Merged

security: input validation hardening (#854)#903
bug-ops merged 3 commits intomainfrom
feat/854-input-validation

Conversation

@bug-ops
Copy link
Owner

@bug-ops bug-ops commented Feb 25, 2026

Closes #854. Implements all three child issues in parallel.

Changes

#868 — Gateway webhook payload validation (zeph-gateway)

  • WebhookPayload::validate() enforces byte limits: sender/channel <= 256 bytes, body <= 65536 bytes; returns HTTP 422 on failure
  • sanitize_control_chars() strips ASCII control chars (0x00–0x1F, 0x7F, preserving \n) from sender and channel
  • 11 unit tests covering valid, boundary, oversized, and control char cases

#872 — ACP null-byte cache key collision (zeph-acp)

  • Null bytes stripped from tool_name before format!("{session_id}\0{tool_name}") in both check_permission and run_permission_handler
  • Unit test verifying no cross-cache contamination via injected null bytes

#875 — Config max_body_size upper bound (zeph-core)

  • validate() rejects gateway.max_body_size > 10_485_760 (10 MiB) with descriptive error
  • 2 unit tests: rejection at 20 MiB, acceptance at exact 10 MiB boundary

Verification

  • cargo +nightly fmt --check — passed
  • cargo clippy --workspace -- -D warnings — 0 warnings
  • cargo nextest run --workspace --lib --bins — 2722 tests passed

@bug-ops
security: input validation hardening across gateway, acp, config (#854)
026fe1d 
- zeph-gateway: enforce per-field byte limits on WebhookPayload (sender/channel
  <= 256, body <= 65536) and strip ASCII control chars from sender/channel to
  prevent prompt injection (#868)
- zeph-acp: strip null bytes from tool names before cache key construction to
  eliminate key collision vector (#872)
- zeph-core: bound gateway.max_body_size to 10 MiB in config validation to
  prevent memory exhaustion from misconfiguration (#875)
@bug-ops
test(zeph-core): add boundary tests for gateway.max_body_size validation
63b6c44
@github-actions github-actions bot added size/M documentation Improvements or additions to documentation rust core and removed size/M labels Feb 25, 2026
This was linked to issues Feb 25, 2026
Gateway webhook payload fields unbounded, enabling prompt injection #868
Closed
ACP permission cache key null-byte collision vector #872
Closed
Config missing upper bound on gateway.max_body_size #875
Closed
@bug-ops bug-ops enabled auto-merge (squash) February 25, 2026 18:38
@bug-ops bug-ops merged commit fa6ac70 into main Feb 25, 2026
25 checks passed
@bug-ops bug-ops deleted the feat/854-input-validation branch February 25, 2026 18:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

core documentation Improvements or additions to documentation rust size/M

Projects

None yet

Milestone

No milestone

1 participant

@bug-ops