Skip to content

[codex] Harden verifier and tooling security#52

Draft
adamkrellenstein wants to merge 1 commit into
crypto/constant-size-statelessfrom
codex/security-scan-hardening
Draft

[codex] Harden verifier and tooling security#52
adamkrellenstein wants to merge 1 commit into
crypto/constant-size-statelessfrom
codex/security-scan-hardening

Conversation

@adamkrellenstein

@adamkrellenstein adamkrellenstein commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Summary

Addresses the Codex Security scan findings on top of PR #50.

  • Caps verifier challenge batch size before expensive planning or parameter loading.
  • Bounds proof-supplied aggregation depth against ledger/root policy to prevent expensive parameter generation.
  • Converts public field parsing helpers from panic-prone APIs to fallible validation.
  • Requires digest-pinned Picus Docker images and read-only source mounts.
  • Tightens release/demo/fuzz workflow hygiene around mutable npm installs, local serving, and fuzz lockfile checks.

Root Cause

Several verifier and tooling paths trusted caller-controlled or environment-controlled inputs too early. In the verifier, oversized challenge batches and inflated proof depth could reach expensive code before cheap bounds checks. In tooling, mutable Docker image selection and broad writable mounts made local/CI Picus execution less reproducible than intended.

Impact

The verifier now rejects malformed or oversized inputs before expensive work, ledger roots carry enough depth policy to validate accepted historical roots, parsing helpers return errors instead of panicking, and developer tooling has safer defaults.

Validation

  • cargo check --workspace
  • cargo test -p kontor-crypto-core
  • cargo test -p kontor-crypto --test verifier_edge_cases -- --nocapture
  • cargo test -p kontor-crypto --test stateless_verify -- --nocapture
  • cargo test -p kontor-crypto ledger --lib -- --nocapture
  • cargo metadata --manifest-path fuzz/Cargo.toml --locked --offline --format-version=1
  • cargo check --manifest-path fuzz/Cargo.toml --locked --offline --tests
  • cargo fmt --all -- --check
  • cargo clippy --all-targets --all-features --workspace -- -D warnings
  • cargo test --all-features --workspace
  • Pre-push hook: fmt, clippy, cargo nextest run with 314 passed / 5 skipped, and cargo audit with existing allowed RustSec warnings

@codspeed-hq

codspeed-hq Bot commented Jun 24, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 13 untouched benchmarks
⏩ 13 skipped benchmarks1

Comparing codex/security-scan-hardening (c35891f) with crypto/constant-size-stateless (137bb9e)

Open in CodSpeed

Footnotes

  1. 13 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cryptograph cryptograph Awaiting requested review from cryptograph

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@adamkrellenstein