ayush00git opened a new pull request, #3615:
URL: https://github.com/apache/fory/pull/3615

   ## Why?
   This PR addresses two critical security vulnerabilities in the Fory Go 
runtime.
   Both issues stemmed from trusting integer values (references/indices) read 
directly from the wire. A maliciously crafted payload could provide an 
out-of-bounds index (either too large or negative), triggering a runtime panic. 
In a server environment, this would allow an attacker to perform a Denial of 
Service (DoS) attack by crashing the Go process with a single malicious packet.
   
   ## What does this PR do?
   
   - Bounds Checking in `RefResolver`: added an upper-bound check in 
`GetReadObject` to ensure `refId` does not exceed the size of the `readObjects` 
slice.
   - Bounds Checking in `MetaStringResolver`: added a lower-bound check in 
`ReadMetaStringBytes` to prevent negative index panics (e.g., when a header 
value of 1 is provided).
   - Security & Regression Tests:
   Added unit tests in `ref_resolver_test.go` and 
`meta_string_resolver_test.go` that specifically reproduce the OOB and 
negative-index panics.
   - Added boundary regression tests to verify that valid edge cases (indices 0 
and `len-1`) still function correctly.
   
   ## Related issues
   Closes #3614 
   
   ## AI Contribution Checklist
   
   <!-- Full requirements and disclosure template:
   
https://github.com/apache/fory/blob/main/AI_POLICY.md#9-contributor-checklist-for-ai-assisted-prs
 -->
   
   - [ ] Substantial AI assistance was used in this PR: `yes` / `no`
   - [ ] If `yes`, I included a completed [AI Contribution 
Checklist](https://github.com/apache/fory/blob/main/AI_POLICY.md#9-contributor-checklist-for-ai-assisted-prs)
 in this PR description and the required `AI Usage Disclosure`.
   - [ ] If `yes`, my PR description includes the required `ai_review` summary 
and screenshot evidence of the final clean AI review results from both fresh 
reviewers on the current PR diff or current HEAD after the latest code changes.
   
   <!-- If substantial AI assistance = `yes`, paste the completed checklist and 
disclosure block here, including the final ai_review summary and screenshot 
evidence from both fresh reviewers on the current PR diff or current HEAD after 
the latest code changes. -->
   
   ## Does this PR introduce any user-facing change?
   
   <!--
   If any user-facing interface changes, please [open an 
issue](https://github.com/apache/fory/issues/new/choose) describing the need to 
do so and update the document if necessary.
   
   Delete section if not applicable.
   -->
   
   - [ ] Does this PR introduce any public API change?
   - [ ] Does this PR introduce any binary protocol compatibility change?
   
   ## Benchmark
   N/A


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to