feat: add pedantic subject validation and max payload enforcement on PUB

Move max payload validation from the parser to ProcessPubAsync so the server sends -ERR 'Maximum Payload Violation' and closes the connection (matching Go reference client.go:2442). In pedantic mode, reject PUB with wildcard subjects via -ERR 'Invalid Publish Subject' (client.go:2869). Add disposed guard to SubList.Remove to prevent crash during shutdown.
2026-02-22 21:49:01 -05:00
parent 9d0d5064ac
commit d14d73a7d0
4 changed files with 117 additions and 6 deletions
--- a/src/NATS.Server/NatsClient.cs
+++ b/src/NATS.Server/NatsClient.cs
@@ -169,7 +169,7 @@ public sealed class NatsClient : IDisposable

            case CommandType.Pub:
            case CommandType.HPub:
-                ProcessPub(cmd);
+                await ProcessPubAsync(cmd);
                break;
        }
    }
@@ -220,11 +220,28 @@ public sealed class NatsClient : IDisposable
            sl.SubList.Remove(sub);
    }

-    private void ProcessPub(ParsedCommand cmd)
+    private async ValueTask ProcessPubAsync(ParsedCommand cmd)
    {
        Interlocked.Increment(ref InMsgs);
        Interlocked.Add(ref InBytes, cmd.Payload.Length);

+        // Max payload validation (always, hard close)
+        if (cmd.Payload.Length > _options.MaxPayload)
+        {
+            _logger.LogWarning("Client {ClientId} exceeded max payload: {Size} > {MaxPayload}",
+                Id, cmd.Payload.Length, _options.MaxPayload);
+            await SendErrAndCloseAsync(NatsProtocol.ErrMaxPayloadViolation);
+            return;
+        }
+
+        // Pedantic mode: validate publish subject
+        if (ClientOpts?.Pedantic == true && !SubjectMatch.IsValidPublishSubject(cmd.Subject!))
+        {
+            _logger.LogDebug("Client {ClientId} invalid publish subject: {Subject}", Id, cmd.Subject);
+            await SendErrAsync(NatsProtocol.ErrInvalidPublishSubject);
+            return;
+        }
+
        ReadOnlyMemory<byte> headers = default;
        ReadOnlyMemory<byte> payload = cmd.Payload;

--- a/src/NATS.Server/Protocol/NatsParser.cs
+++ b/src/NATS.Server/Protocol/NatsParser.cs
@@ -203,10 +203,10 @@ public sealed class NatsParser
            throw new ProtocolViolationException("Invalid PUB arguments");
        }

-        if (size < 0 || size > _maxPayload)
+        if (size < 0)
            throw new ProtocolViolationException("Invalid payload size");

-        // Now read payload + \r\n
+        // Now read payload + \r\n (max payload enforcement is done at the client level)
        buffer = buffer.Slice(afterLine);
        _awaitingPayload = true;
        _expectedPayloadSize = size;
@@ -253,7 +253,7 @@ public sealed class NatsParser
            throw new ProtocolViolationException("Invalid HPUB arguments");
        }

-        if (hdrSize < 0 || totalSize < 0 || hdrSize > totalSize || totalSize > _maxPayload)
+        if (hdrSize < 0 || totalSize < 0 || hdrSize > totalSize)
            throw new ProtocolViolationException("Invalid HPUB sizes");

        buffer = buffer.Slice(afterLine);
--- a/src/NATS.Server/Subscriptions/SubList.cs
+++ b/src/NATS.Server/Subscriptions/SubList.cs
@@ -15,8 +15,13 @@ public sealed class SubList : IDisposable
    private readonly TrieLevel _root = new();
    private Dictionary<string, SubListResult>? _cache = new(StringComparer.Ordinal);
    private uint _count;
+    private volatile bool _disposed;

-    public void Dispose() => _lock.Dispose();
+    public void Dispose()
+    {
+        _disposed = true;
+        _lock.Dispose();
+    }

    public uint Count
    {
@@ -95,6 +100,7 @@ public sealed class SubList : IDisposable

    public void Remove(Subscription sub)
    {
+        if (_disposed) return;
        _lock.EnterWriteLock();
        try
        {