Skip to content

[codex] add DM metadata poisoning PoC#3305

Draft
holmesworcester wants to merge 1 commit into
feat/2571-private-dms-desktopfrom
codex/poc-dm-metadata-poisoning
Draft

[codex] add DM metadata poisoning PoC#3305
holmesworcester wants to merge 1 commit into
feat/2571-private-dms-desktopfrom
codex/poc-dm-metadata-poisoning

Conversation

@holmesworcester

Copy link
Copy Markdown
Collaborator

Adds a focused PoC test for the forged DM channel metadata issue reviewed against PR #3263.

The test demonstrates that a non-admin member can submit forged deterministic DM metadata with roleName=member, have validateEntry accept it, and cause future messages sent through that channel record to be encrypted to the broad member role. It then verifies another member outside the intended DM can decrypt the resulting message.

Validation run locally with Node 20.20.1:

  • npm run test -- ./src/nest/storage/channels/channels.service.spec.ts --silent

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant