Commit 12b0764
committed
fix(opcua,#386): input validation + cross-pipeline alarm collision check (bburda review)
Two security/correctness gaps from bburda's review on PR #387:
(1) **fault_code / comment unbounded input.** ``execute_operation`` for
``acknowledge_fault`` / ``confirm_fault`` accepted operator input
without length cap or charset filter:
- ``fault_code`` was concatenated into log lines and HTTP error bodies
via ``"...fault_code=\" + fault_code + \"...\"`` - newlines, control
chars, or multi-MB blobs would land verbatim in gateway logs.
- ``comment`` was wrapped as ``LocalizedText`` and forwarded verbatim to
the PLC's condition log - an authenticated operator role could spam
the PLC with multi-MB blobs on every ack.
Both now validated at the operation entry: ``fault_code`` must match
``is_valid_path_segment`` (alphanumeric + ``_`` + ``-``, 1-256 chars,
matching the existing entity-id bound) and ``comment`` is capped at 256
chars. Failures return HTTP 400 with the actual length so the operator
sees the bound, not a silent truncation.
(2) **Cross-pipeline alarm collision uncaught.** The previous
mutual-exclusion check in ``NodeMap::load`` (which I added in response
to Copilot review) caught ``alarm_source`` misplaced under ``nodes:``,
but missed the genuine collision worth checking: the same
``(entity_id, fault_code)`` declared by both threshold polling
(``nodes[*].alarm``) and event subscription (``event_alarms``).
fault_manager would receive both pipelines' calls and the resulting
status flapping is impossible to debug at runtime; the two paths have
different semantics (debounced vs state-machine) so a merge is not
even well-defined.
``NodeMap::load`` now builds a set of ``(entity_id, fault_code)`` keys
from ``event_alarms`` and rejects the whole file if any
``nodes[*].alarm`` matches a key already claimed by an event alarm.
Two new gtest cases lock the contract:
- ``RejectsThresholdEventAlarmCollision`` - same ``(tank_process,
PLC_OVERPRESSURE)`` declared by both -> load returns false.
- ``AcceptsDifferentFaultCodesAcrossPipelines`` - same entity but
distinct fault_codes per pipeline -> load passes (no false-positive).
Local verify: 34/34 test_node_map + 13/13 test_opcua_plugin.1 parent dac0b72 commit 12b0764
3 files changed
Lines changed: 107 additions & 0 deletions
File tree
- src/ros2_medkit_plugins/ros2_medkit_opcua
- src
- test
Lines changed: 26 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
21 | 21 | | |
22 | 22 | | |
23 | 23 | | |
| 24 | + | |
24 | 25 | | |
25 | 26 | | |
26 | 27 | | |
| 28 | + | |
27 | 29 | | |
28 | 30 | | |
29 | 31 | | |
| |||
351 | 353 | | |
352 | 354 | | |
353 | 355 | | |
| 356 | + | |
| 357 | + | |
| 358 | + | |
| 359 | + | |
| 360 | + | |
| 361 | + | |
| 362 | + | |
| 363 | + | |
| 364 | + | |
| 365 | + | |
| 366 | + | |
| 367 | + | |
| 368 | + | |
| 369 | + | |
| 370 | + | |
| 371 | + | |
| 372 | + | |
| 373 | + | |
| 374 | + | |
| 375 | + | |
| 376 | + | |
| 377 | + | |
| 378 | + | |
| 379 | + | |
354 | 380 | | |
355 | 381 | | |
356 | 382 | | |
| |||
Lines changed: 21 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
909 | 909 | | |
910 | 910 | | |
911 | 911 | | |
| 912 | + | |
| 913 | + | |
| 914 | + | |
| 915 | + | |
| 916 | + | |
| 917 | + | |
| 918 | + | |
| 919 | + | |
| 920 | + | |
| 921 | + | |
| 922 | + | |
| 923 | + | |
| 924 | + | |
| 925 | + | |
| 926 | + | |
| 927 | + | |
| 928 | + | |
| 929 | + | |
| 930 | + | |
| 931 | + | |
| 932 | + | |
912 | 933 | | |
913 | 934 | | |
914 | 935 | | |
| |||
Lines changed: 60 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
521 | 521 | | |
522 | 522 | | |
523 | 523 | | |
| 524 | + | |
| 525 | + | |
| 526 | + | |
| 527 | + | |
| 528 | + | |
| 529 | + | |
| 530 | + | |
| 531 | + | |
| 532 | + | |
| 533 | + | |
| 534 | + | |
| 535 | + | |
| 536 | + | |
| 537 | + | |
| 538 | + | |
| 539 | + | |
| 540 | + | |
| 541 | + | |
| 542 | + | |
| 543 | + | |
| 544 | + | |
| 545 | + | |
| 546 | + | |
| 547 | + | |
| 548 | + | |
| 549 | + | |
| 550 | + | |
| 551 | + | |
| 552 | + | |
| 553 | + | |
| 554 | + | |
| 555 | + | |
| 556 | + | |
| 557 | + | |
| 558 | + | |
| 559 | + | |
| 560 | + | |
| 561 | + | |
| 562 | + | |
| 563 | + | |
| 564 | + | |
| 565 | + | |
| 566 | + | |
| 567 | + | |
| 568 | + | |
| 569 | + | |
| 570 | + | |
| 571 | + | |
| 572 | + | |
| 573 | + | |
| 574 | + | |
| 575 | + | |
| 576 | + | |
| 577 | + | |
| 578 | + | |
| 579 | + | |
| 580 | + | |
| 581 | + | |
| 582 | + | |
| 583 | + | |
524 | 584 | | |
525 | 585 | | |
526 | 586 | | |
| |||
0 commit comments