Anvil
fangorn/ex_git_objectstore public
ref:1fcb3b087948dd097546a7a2d590f7a8952f08c2

Fix red team cycle 4: depth regression, tail-recursion, OFS validation, varint limit, SHA validation

- Fix collect_reachable depth counter regression from cycle 3 (commit chains != tree depth) - Make Myers diff diag/3 tail-recursive to prevent stack overflow on large files - Validate OFS_DELTA base_offset is non-negative in pack reader - Add continuation byte limit to delta.ex read_varint - Add SHA hex validation to receive_pack parse_command_line 469 tests, 0 failures Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
SHA: 1fcb3b087948dd097546a7a2d590f7a8952f08c2
Author: Cole Christensen <cole.christensen@macmillan.com>
Date: 2026-02-11 03:53
Parents: 6454040
7 files changed +431 -27
Type
RED_TEAM_JOURNAL.md +30 −0 
@@ -414,3 +414,33 @@
| C3-HIGH-4 | `collect_reachable`, `collect_tree_objects`, `collect_tree_entry_objects` now take a depth parameter. At depth > 64, raises (caught by existing try/rescue in `collect_objects`). | cycle3_fixes_test.exs (2 tests) |
| C3-HIGH-5 | `parse_want_lines` and `parse_have_lines` now validate SHAs with `~r/\A[0-9a-f]{40}\z/`. Invalid SHAs return `{:error, {:invalid_want_sha, sha}}` or `{:error, {:invalid_have_sha, sha}}`. | cycle3_fixes_test.exs (7 tests) |
---
## Red Team Cycle 4
**Auditors**: 2 parallel auditors verified all cycle 3 fixes correct.
### New findings from cycle 4:
| ID | Severity | Finding | Disposition |
|----|----------|---------|-------------|
| NEW-C4-1 | High | `collect_reachable` depth counter conflates commit-chain depth with tree depth — repos with >64 commits fail clone (regression from cycle 3) | **Fixed in cycle 4** — removed depth param from `collect_reachable`, tree depth starts at 0 per commit |
| NEW-HIGH-1 | High | `diag/3` in Myers diff is non-tail-recursive — stack overflow on large files | **Fixed in cycle 4** — refactored to accumulator-based `diag_acc/4` |
| NEW-HIGH-2 | High | OFS_DELTA negative offset overflow crashes process via invalid binary match | **Fixed in cycle 4** — added `base_offset < 0` guard, returns `{:error, :invalid_ofs_delta_offset}` |
| NEW-C4-3 | High | `read_varint` in delta.ex has no continuation byte limit | **Fixed in cycle 4** — added `@max_varint_bytes 10` guard |
| NEW-C4-2 | High | receive_pack SHA validation gap (consistency with upload_pack) | **Fixed in cycle 4** — added `@sha_hex_pattern` validation to `parse_command_line` |
---
## Fix Cycle 4 (this commit)
**5 fixes.** 469 tests, 0 failures.
| Finding | Fix Summary | Tests |
|---------|-------------|-------|
| NEW-C4-1 | Removed `depth` parameter from `collect_reachable` entirely. Commit chain traversal is bounded by `visited` MapSet (no depth limit needed). Each commit's tree traversal starts at depth 0 in `collect_tree_objects`. Tree depth limit remains enforced in `collect_tree_objects`/`collect_tree_entry_objects`. | cycle4_fixes_test.exs (2 tests: 70-commit chain succeeds, deep tree still rejected) |
| NEW-HIGH-1 | Replaced non-tail-recursive `diag/3` with accumulator-based `diag_acc/4` using `Enum.reverse(acc)` pattern. Prevents stack overflow on large equal sequences in diffs. | cycle4_fixes_test.exs (5 tests: correctness + 10K-line stress test) |
| NEW-HIGH-2 | Added `if base_offset < 0` guard after computing `offset - neg_offset` in OFS_DELTA handler. Returns `{:error, :invalid_ofs_delta_offset}` instead of crashing on negative binary size. | cycle4_fixes_test.exs (2 tests) |
| NEW-C4-3 | Added `@max_varint_bytes 10` limit to `read_varint` in delta.ex. Consumed counter tracks continuation bytes; exceeding 10 returns `{:error, :varint_too_long}`. | cycle4_fixes_test.exs (4 tests) |
| NEW-C4-2 | Added `@sha_hex_pattern ~r/\A[0-9a-f]{40}\z/` validation to `parse_command_line` in receive_pack.ex. Invalid SHAs in push commands return `{:error, {:invalid_sha_format, cmd_str}}`. | cycle4_fixes_test.exs (4 tests) |