Harden archive entry parsing against integer overflows and panics

[ChanTsune]

🛡️ Sentinel: [CRITICAL/HIGH] Fix integer overflow and panic-on-malformed-input in archive parsing

🚨 Severity: HIGH
💡 Vulnerability: Unchecked arithmetic in archive entry parsing and splitting logic. Specifically, the time crate's Duration addition (+) panics on overflow, and usize additions for size/offset calculations were unchecked.
🎯 Impact: A maliciously crafted archive with extreme timestamp values (e.g., i64::MAX seconds combined with nanoseconds) or very large chunk sizes could cause the archiver to panic and crash (DoS).
🔧 Fix: Replaced unchecked additions with checked_add (returning io::Error) for structured metadata and saturating_add for size/length calculations. Hardened chunk splitting logic to safely handle potential overflows during boundary checks.
✅ Verification: Ran all unit and integration tests (cargo test). Verified that cargo clippy and cargo fmt pass. Manually verified (during development) that extreme duration values no longer cause panics. Addresses feedback from security code review.

Recorded learnings in .jules/sentinel.md.

---

PR created automatically by Jules for task 3712612792793867657 started by @ChanTsune

Summary by CodeRabbit

• Bug Fixes
  • Improved timestamp handling to gracefully manage edge cases with extreme time values, preventing errors in scenarios with boundary timestamp conditions.

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 68c45ca3-a030-4591-a8fa-191567fc960c

📥 Commits

Reviewing files that changed from the base of the PR and between 5493c0a and 1037d48.

📒 Files selected for processing (1)

• lib/src/entry.rs

🚧 Files skipped from review as they are similar to previous changes (1)

• lib/src/entry.rs

---

📝 Walkthrough

Walkthrough

In NormalEntry::try_from, timestamp construction logic replaces direct duration addition with saturating_add when combining base timestamp values with nanosecond components, preventing overflow panics by clamping to maximum instead.

Changes

Timestamp Overflow Safety

Layer / File(s)	Summary
Timestamp Merging lib/src/entry.rs	ctime, mtime, and atime timestamp-nanosecond combinations now use saturating_add with unwrap_or(0) fallback instead of unchecked + operator to prevent arithmetic overflow.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• ChanTsune/Portable-Network-Archive#3018: Similar overflow safety improvement replacing unchecked arithmetic with saturating/checked operations in NormalEntry::try_from.

Poem

A rabbit hops through timestamp lands,
Where overflow once slipped through hands—
Now saturation holds the line,
No panics wreck the merge divine! 🐰⏰

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the main objective: hardening archive entry parsing against integer overflows and panics, which aligns with the core changes in the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel/harden-entry-parsing-3712612792793867657

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request hardens archive parsing against integer overflows and panics by replacing unchecked arithmetic with checked and saturating operations. Key changes include using checked_add for timestamp calculations with explicit error handling and saturating_add for size and length calculations. Review feedback suggests using Option::map and Result::transpose for more idiomatic timestamp processing and warns that the use of is_none_or may break compatibility with Rust versions older than 1.82.0.

[coderabbitai]

🧹 Nitpick comments (1)

lib/src/entry.rs (1)

684-704: ⚡ Quick win

Consider extracting the timestamp+nanos overflow combination into a helper.

The three blocks for ctime/mtime/atime are structurally identical and only differ in the field and error label. Extracting a small helper reduces duplication and prevents future divergence (e.g., one branch silently dropping the overflow check on a later edit).

♻️ Proposed refactor

+        fn combine(
+            secs: Option<Duration>,
+            ns: Option<u32>,
+            field: &'static str,
+        ) -> io::Result<Option<Duration>> {
+            match secs {
+                Some(t) => t
+                    .checked_add(Duration::nanoseconds(ns.unwrap_or(0) as i64))
+                    .map(Some)
+                    .ok_or_else(|| {
+                        io::Error::new(
+                            io::ErrorKind::InvalidData,
+                            format!("{field} overflow"),
+                        )
+                    }),
+                None => Ok(None),
+            }
+        }
+        let ctime = combine(ctime, ctime_ns, "ctime")?;
+        let mtime = combine(mtime, mtime_ns, "mtime")?;
+        let atime = combine(atime, atime_ns, "atime")?;
-        let ctime = match ctime {
-            Some(t) => Some(
-                t.checked_add(Duration::nanoseconds(ctime_ns.unwrap_or(0) as _))
-                    .ok_or_else(|| io::Error::new(io::ErrorKind::InvalidData, "ctime overflow"))?,
-            ),
-            None => None,
-        };
-        let mtime = match mtime {
-            Some(t) => Some(
-                t.checked_add(Duration::nanoseconds(mtime_ns.unwrap_or(0) as _))
-                    .ok_or_else(|| io::Error::new(io::ErrorKind::InvalidData, "mtime overflow"))?,
-            ),
-            None => None,
-        };
-        let atime = match atime {
-            Some(t) => Some(
-                t.checked_add(Duration::nanoseconds(atime_ns.unwrap_or(0) as _))
-                    .ok_or_else(|| io::Error::new(io::ErrorKind::InvalidData, "atime overflow"))?,
-            ),
-            None => None,
-        };

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@lib/src/entry.rs` around lines 684 - 704, Extract the repeated pattern that
adds nanoseconds and checks overflow into a small helper (e.g., a function like
add_ts_with_nanos_checked) and use it for ctime, mtime, and atime; the helper
should accept the Option<time> and the corresponding nanos Option (and a field
name string for the error), call Duration::nanoseconds, use checked_add, and
return io::Result<Option<...>> so you can replace the three match blocks with
calls to that helper and produce errors like "<field> overflow" consistently.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@lib/src/entry.rs`:
- Around line 684-704: Extract the repeated pattern that adds nanoseconds and
checks overflow into a small helper (e.g., a function like
add_ts_with_nanos_checked) and use it for ctime, mtime, and atime; the helper
should accept the Option<time> and the corresponding nanos Option (and a field
name string for the error), call Duration::nanoseconds, use checked_add, and
return io::Result<Option<...>> so you can replace the three match blocks with
calls to that helper and produce errors like "<field> overflow" consistently.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: faca6ca6-d5e8-4811-89ee-974eeac58e85

📥 Commits

Reviewing files that changed from the base of the PR and between a84eadf and 5493c0a.

📒 Files selected for processing (2)

• .jules/sentinel.md
• lib/src/entry.rs