ayush00git opened a new pull request, #3615: URL: https://github.com/apache/fory/pull/3615
## Why? This PR addresses two critical security vulnerabilities in the Fory Go runtime. Both issues stemmed from trusting integer values (references/indices) read directly from the wire. A maliciously crafted payload could provide an out-of-bounds index (either too large or negative), triggering a runtime panic. In a server environment, this would allow an attacker to perform a Denial of Service (DoS) attack by crashing the Go process with a single malicious packet. ## What does this PR do? - Bounds Checking in `RefResolver`: added an upper-bound check in `GetReadObject` to ensure `refId` does not exceed the size of the `readObjects` slice. - Bounds Checking in `MetaStringResolver`: added a lower-bound check in `ReadMetaStringBytes` to prevent negative index panics (e.g., when a header value of 1 is provided). - Security & Regression Tests: Added unit tests in `ref_resolver_test.go` and `meta_string_resolver_test.go` that specifically reproduce the OOB and negative-index panics. - Added boundary regression tests to verify that valid edge cases (indices 0 and `len-1`) still function correctly. ## Related issues Closes #3614 ## AI Contribution Checklist <!-- Full requirements and disclosure template: https://github.com/apache/fory/blob/main/AI_POLICY.md#9-contributor-checklist-for-ai-assisted-prs --> - [ ] Substantial AI assistance was used in this PR: `yes` / `no` - [ ] If `yes`, I included a completed [AI Contribution Checklist](https://github.com/apache/fory/blob/main/AI_POLICY.md#9-contributor-checklist-for-ai-assisted-prs) in this PR description and the required `AI Usage Disclosure`. - [ ] If `yes`, my PR description includes the required `ai_review` summary and screenshot evidence of the final clean AI review results from both fresh reviewers on the current PR diff or current HEAD after the latest code changes. <!-- If substantial AI assistance = `yes`, paste the completed checklist and disclosure block here, including the final ai_review summary and screenshot evidence from both fresh reviewers on the current PR diff or current HEAD after the latest code changes. --> ## Does this PR introduce any user-facing change? <!-- If any user-facing interface changes, please [open an issue](https://github.com/apache/fory/issues/new/choose) describing the need to do so and update the document if necessary. Delete section if not applicable. --> - [ ] Does this PR introduce any public API change? - [ ] Does this PR introduce any binary protocol compatibility change? ## Benchmark N/A -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
