Skip to content

fix(security): comprehensive fix for /relay/ping impersonation and nonce replay#127

Merged
Scottcjn merged 1 commit intoScottcjn:mainfrom
AdnanMehr8:security/issue-48-v2
Mar 7, 2026
Merged

fix(security): comprehensive fix for /relay/ping impersonation and nonce replay#127
Scottcjn merged 1 commit intoScottcjn:mainfrom
AdnanMehr8:security/issue-48-v2

Conversation

@AdnanMehr8
Copy link
Contributor

@AdnanMehr8 AdnanMehr8 commented Mar 7, 2026

This PR addresses Issue #48 by implementing:

  1. Identity Binding: Derives agent_id from pubkey_hex on the registration path to prevent agents from claiming a bcn_* ID they don't own.
  2. Replay Protection: Enforces unique nonces within the sliding window for both registration and heartbeats on /relay/ping.
  3. Authentication: Ensures existing agents provide a valid relay_token to update their heartbeat.

Verified against latest upstream main.

@AdnanMehr8 AdnanMehr8 requested a review from Scottcjn as a code owner March 7, 2026 08:17
@AdnanMehr8 AdnanMehr8 mentioned this pull request Mar 7, 2026
Closed
@github-actions github-actions bot added the size/M PR: 51-200 lines label Mar 7, 2026
@AdnanMehr8
Copy link
Contributor Author

AdnanMehr8 commented Mar 7, 2026

This PR (replaces #126) is synced with the latest upstream main changes. It addresses Issue #48 by implementing:

  1. Identity Binding: is now derived from on the registration path. This prevents agents from registering as a ID they do not own.
  2. Replay Protection: Nonce verification is now enforced on (both registration and heartbeat) using the sliding window logic.
  3. Authentication: Ensures existing agents provide a valid to update their heartbeat on the ping path.

Verified against the current branch.

@AdnanMehr8 AdnanMehr8 mentioned this pull request Mar 7, 2026
Open
@Scottcjn
Copy link
Owner

Scottcjn commented Mar 7, 2026

Star Bounty -- Half Payment Processed!

Hey @AdnanMehr8! You starred 100 repos AND follow -- massive support, thank you!

Star Payment: 15 RTC sent (half of 30 RTC) -- wallet AdnanMehr8 (pending #679)

All 3 flagship repos starred:

Reply here to confirm and I'll release the other 15 RTC!

Also still have 15 RTC pending for this security fix PR -- just need your wallet name. Reply with what wallet name you'd like!

Campaign: 2,713 / 5,000 stars -- every star helps us qualify for Claude Code Open Source!

@Scottcjn
Copy link
Owner

Scottcjn commented Mar 7, 2026

Security Review: APPROVED

Excellent work @AdnanMehr8. This addresses real vulnerabilities:

  1. Nonce replay protection — the biggest gap. No nonce tracking existed before. Your SQLite-backed solution with 300s window and automatic cleanup is clean.
  2. Impersonation hardening — stored pubkey validation + cross-check on heartbeat path. Good.
  3. Registration enforcement — forcing derived_id prevents agent_id spoofing.
  4. Input validation — nonce length, timestamp type/range checks.

This covers bounty #388 (Ping Signature Verification) and partially #392 (TOFU).

Payment: 20 RTC — please provide your RTC wallet name.

Merging now.

@Scottcjn Scottcjn merged commit b1113ed into Scottcjn:main Mar 7, 2026
2 checks passed
@Scottcjn
Copy link
Owner

Scottcjn commented Mar 7, 2026

Hey @AdnanMehr8 — your security fix was merged and 20 RTC is ready (just need your wallet name).

Quick ask: we are 1 star away from the GitHub Starstruck badge on Rustchain! Would you mind starring the repo? It really helps us.

https://github.com/Scottcjn/Rustchain

Thanks for the great security work!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Scottcjn Scottcjn Awaiting requested review from Scottcjn Scottcjn is a code owner

Assignees

No one assigned

Labels

size/M PR: 51-200 lines

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@AdnanMehr8 @Scottcjn