Skip to content

Prevent receiver panic paths#1704

Draft
spacebear21 wants to merge 1 commit into
payjoin:masterfrom
spacebear21:fix-audit-panics
Draft

Prevent receiver panic paths#1704
spacebear21 wants to merge 1 commit into
payjoin:masterfrom
spacebear21:fix-audit-panics

Conversation

@spacebear21

Copy link
Copy Markdown
Collaborator

Summary

This addresses the panic items from the 1.0 API audit before the 1.0 freeze. The crate advertises panic-free error handling, so network-supplied receiver inputs and persisted replay logs should fail through normal error paths instead of being able to abort the process.

This fixes the sender-controlled additionalfeeoutputindex path by rejecting indexes that do not refer to an original PSBT output before fee adjustment, with a checked lookup in the shared fee code as defense in depth.

It also fixes malformed v2 replay logs by returning an invalid event payload replay error when IdentifiedReceiverOutputs is empty or out of range, or when CommittedOutputs no longer contains the receiver change output.

Disclosure: co-authored by Codex

Reject sender additional fee indexes that do not refer to an
original PSBT output before fee adjustment.

Validate replay event payloads before reconstructing receiver states.
Malformed logs now return replay errors instead of creating invalid
change outputs.
@spacebear21 spacebear21 marked this pull request as draft July 2, 2026 01:55
@coveralls

Copy link
Copy Markdown
Collaborator

Coverage Report for CI Build 28559937547

Coverage increased (+0.06%) to 85.805%

Details

  • Coverage increased (+0.06%) from the base build.
  • Patch coverage: 9 uncovered changes across 4 files (126 of 135 lines covered, 93.33%).
  • No coverage regressions found.

Uncovered Changes

File Changed Covered %
payjoin/src/core/receive/v2/mod.rs 31 27 87.1%
payjoin/src/core/receive/error.rs 3 0 0.0%
payjoin/src/core/receive/common/mod.rs 27 26 96.3%
payjoin/src/core/receive/mod.rs 25 24 96.0%
Total (6 files) 135 126 93.33%

Coverage Regressions

No coverage regressions found.


Coverage Stats

Coverage Status
Relevant Lines: 15442
Covered Lines: 13250
Line Coverage: 85.8%
Coverage Strength: 352.98 hits per line

💛 - Coveralls

@DanGould

DanGould commented Jul 2, 2026

Copy link
Copy Markdown
Member

concept ACK on fixing the index getting, not this particular code tho

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants