fix(validation): close Theme 3 — 11 input-validation / unbounded-input findings
Each finding is a focused validation guard or upper bound at a trust boundary.
Highlights:
- Commons-015: EncryptionMetadata ctor now validates Algorithm (AES-256-GCM
only), Kdf (PBKDF2-SHA256 only), Iterations ([100k, 10M]), non-null Salt/IV.
- Transport-004: new BundleUnlockRateLimiter (sliding-window, per-key,
singleton) wired into BundleImporter.LoadAsync; over-budget callers see
BundleUnlockRateLimitedException. Per-bundle 3-strike + per-window cap.
- ESG-022: ExternalSystemClient.InvokeHttpAsync allow-lists the documented
GET/POST/PUT/PATCH/DELETE set (case-insensitive); unknown verbs throw.
- SEL-015: SiteEventLogger queue now bounded (10k cap, DropOldest); dropped
events fault their Task and increment FailedWriteCount so the drop is
observable instead of an unbounded memory growth.
- SEL-017: EventLogQueryService clamps caller-supplied PageSize to a new
MaxQueryPageSize cap (default 500) so int.MaxValue can't OOM the host.
- SEL-020: LogEventAsync rejects severities outside {Info, Warning, Error}
(matches SQLite BINARY-collation query filter).
- InboundAPI-020: ContentType "json" check now case-insensitive
(application/JSON no longer slips through as not-json).
- InboundAPI-024: _knownBadMethods capped at 1000 entries (drops new entries
once full); per-request DB lookup remains the correctness path.
- SR-025: HandleSetStaticAttribute validates the attribute name against the
deployed config; unknown names now return Success=false instead of
leaking orphan override rows into the SQLite store.
- TE-021: MoveTemplateAsync runs the sibling-name-collision check at the
destination, mirroring TemplateFolderService.MoveFolderAsync.
- TE-022: LockEnforcer's once-locked-stays-locked rule now also covers
LockedInDerived (was previously only IsLocked).
New regression tests across 8 test projects (EncryptionMetadata, rate
limiter, ESG client allow-list, SEL bounded channel / PageSize clamp /
severity validation, InboundAPI ContentType + bad-methods cap, SiteRT
unknown-attribute, TemplateEngine MoveTemplate + LockedInDerived).
Build clean; affected suites all green. README regenerated: 93 open (was 104).
Note: a separate manual re-run was needed for the SiteEventLogging hunk
because its initial subagent's source edits never landed on disk despite
reporting success (file-collision-style failure mode).
This commit is contained in:
Joseph Doherty
@@ -8,7 +8,7 @@
|
||||
| Last reviewed | 2026-05-28 |
|
||||
| Reviewer | claude-agent |
|
||||
| Commit reviewed | `1eb6e97` |
|
||||
| Open findings | 8 |
|
||||
| Open findings | 5 |
|
||||
|
||||
## Summary
|
||||
|
||||
@@ -753,9 +753,18 @@ background scheduler).
|
||||
|--|--|
|
||||
| Severity | Medium |
|
||||
| Category | Performance & resource management |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
| Location | `src/ScadaLink.SiteEventLogging/SiteEventLogger.cs:58-63` |
|
||||
|
||||
**Resolution (2026-05-28):** Switched `SiteEventLogger._writeQueue` to
|
||||
`Channel.CreateBounded<PendingEvent>` with `FullMode = BoundedChannelFullMode.DropOldest`.
|
||||
Default capacity 10,000 via new `SiteEventLogOptions.WriteQueueCapacity`. The
|
||||
`itemDropped` callback faults the dropped event's Task with
|
||||
`InvalidOperationException` and increments `FailedWriteCount` so both awaiting
|
||||
callers and Health Monitoring observe drops. `DropOldest` preserves the
|
||||
SiteEventLogging-005 "callers never block" guarantee. Test:
|
||||
`LogEventAsync_BoundedQueueDropsOldest_AndFaultsDroppedTask`.
|
||||
|
||||
**Description**
|
||||
|
||||
`SiteEventLogger` creates its background-writer feeder as
|
||||
@@ -844,9 +853,16 @@ lexicographic-comparison hazard structurally.
|
||||
|--|--|
|
||||
| Severity | Medium |
|
||||
| Category | Security |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
| Location | `src/ScadaLink.SiteEventLogging/EventLogQueryService.cs:55`, `src/ScadaLink.Commons/Messages/RemoteQuery/EventLogQueryRequest.cs:18` |
|
||||
|
||||
**Resolution (2026-05-28):** `EventLogQueryService.ExecuteQuery` now clamps
|
||||
`pageSize` to new `SiteEventLogOptions.MaxQueryPageSize` (default 500, matching
|
||||
existing `QueryPageSize` default) before issuing the SQL. Silent clamp rather
|
||||
than reject so misconfigured clients still get a usable response. Test:
|
||||
`Query_PageSize_IsClampedToMaxQueryPageSize` (asserts a request of 100,000 is
|
||||
clamped down with `HasMore = true`).
|
||||
|
||||
**Description**
|
||||
|
||||
`EventLogQueryService.ExecuteQuery` resolves the effective page size as
|
||||
@@ -970,9 +986,16 @@ SiteEventLogging.Tests).
|
||||
|--|--|
|
||||
| Severity | Low |
|
||||
| Category | Correctness & logic bugs |
|
||||
| Status | Open |
|
||||
| Status | Resolved |
|
||||
| Location | `src/ScadaLink.SiteEventLogging/SiteEventLogger.cs:144-156`, `src/ScadaLink.SiteEventLogging/ISiteEventLogger.cs:14-15` |
|
||||
|
||||
**Resolution (2026-05-28):** `LogEventAsync` now validates `severity` against
|
||||
the closed set `{Info, Warning, Error}` (case-sensitive, matches SQLite
|
||||
BINARY collation used by the query filter) and throws `ArgumentException`
|
||||
naming the offending value. `eventType` left intentionally free-form (design
|
||||
enumerates an open category set). Tests: `LogEventAsync_ThrowsOnUnknownSeverity`
|
||||
(5 cases) and `LogEventAsync_AcceptsAllDocumentedSeverities` (3 cases).
|
||||
|
||||
**Description**
|
||||
|
||||
`LogEventAsync` validates `eventType` and `severity` only for non-empty/non-whitespace.
|
||||
|
||||
Reference in New Issue
Block a user