Skip to content

fix: security audit round 5 + email display bugs#75

Merged
adrgs merged 3 commits into
mainfrom
fix/security-audit-aisafe-round5
Apr 5, 2026
Merged

fix: security audit round 5 + email display bugs#75
adrgs merged 3 commits into
mainfrom
fix/security-audit-aisafe-round5

Conversation

@adrgs

@adrgs adrgs commented Apr 5, 2026

Copy link
Copy Markdown
Owner

Summary

  • SMTP bounded read: Replace unbounded read_line() with read_line_limited() using fill_buf()/consume() — prevents OOM from newline-free input (AIS-ASO-REF-003)
  • SMTP whitespace preservation: Use trim_end() instead of trim() in DATA mode to preserve MIME header folding — fixes HTML/text body extraction for multipart emails
  • Cache double-count fix: Subtract old entry size before limit check in set() — prevents false "storage exceeded" on key replacement (AIS-ASO-REF-004)
  • Blocked headers expansion: Block Set-Cookie, Location, CSP on main domain /r/ routing (AIS-ASO-REF-009)
  • JWT_SECRET validation: Reject known placeholders and enforce min 32 chars at startup (AIS-ASO-REF-002)
  • Sentry scrubbing: Strip token/share params from all breadcrumb types + event.request.url (AIS-ASO-REF-005)
  • Frontend email display: Fix text tab fallback showing raw email, remove squished base64 block from Raw SMTP view
  • jsonwebtoken: Bump 9.2 → 9.3 for CVE-2026-25537 patch

Test plan

  • cargo clippy -- -D warnings passes
  • cargo test — 79 passed, 0 failed
  • bun run lint + bun run tsc --noEmit — clean
  • Manual: send multipart email, verify HTML tab renders correctly
  • Manual: verify Raw SMTP Transaction is readable (no squished base64)

🤖 Generated with Claude Code

adrgs and others added 3 commits April 5, 2026 15:09
@adrgs @claude
fix: address security audit findings (aisafe round 5) + email display…
e879ce9 
… bugs

- SMTP: bounded read_line_limited() prevents OOM from newline-free input
- SMTP: preserve leading whitespace in DATA mode for MIME header folding
- Cache: fix double-counting on key replacement in set() size check
- Routes: block Set-Cookie/Location/CSP headers on main domain /r/ routing
- Config: reject known JWT_SECRET placeholders and enforce min 32 chars
- Sentry: scrub token/share params from all breadcrumb types + event URLs
- Frontend: fix text tab fallback, remove squished base64 raw SMTP block
- Deps: bump jsonwebtoken 9.2 → 9.3

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@adrgs @claude
style: fix formatting to match CI rustfmt/prettier
dd3458c 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@adrgs @claude
refactor: extract shared scrubSensitiveParams, add saturating_sub guard
60fb149 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@adrgs adrgs merged commit 394fc37 into main Apr 5, 2026
5 checks passed
@adrgs adrgs deleted the fix/security-audit-aisafe-round5 branch April 5, 2026 13:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adrgs