fix(kaitai): restrict sizes for Kaitai struct#194
Merged
Conversation
Some tests were not running because they were returning values other than Unit. This can be easy to miss in Kotlin because the return types are inferred. Make this something that JUnit halts the build instead of just warning.
Let Kaitai Struct handle more of the validation logic by supplying the expected sizes where possible. Fixes GHSA-ch3q-cw5r-f4hg
kruton
force-pushed
the
kaitai-struct-sizes
branch
from
2084005 to
1db4fb4
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
This PR strengthens SSH/Kaitai parsing robustness to address GHSA-ch3q-cw5r-f4hg by adding explicit size/count validations in Kaitai .ksy specs and by standardizing how Kaitai validation/parse failures are surfaced to callers (e.g., as TransportException) with new regression tests.
Changes:
- Add Kaitai
validexpressions to ensure declared lengths/counts cannot exceed remaining bytes (and basic sanity constraints for packet framing). - Introduce a shared helper (
kaitaiParseFailureOrNull) to detect Kaitai/underflow parse failures and wrap them intoTransportExceptionat key boundaries. - Add/extend unit tests covering malformed packet/agent frames and length validation failures.
Reviewed changes
Copilot reviewed 26 out of 26 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| sshlib/src/main/kotlin/org/connectbot/sshlib/transport/PacketIO.kt | Wrap Kaitai payload-parse failures as TransportException("Malformed SSH packet payload", …) |
| sshlib/src/main/kotlin/org/connectbot/sshlib/KaitaiParsing.kt | Add helper to detect Kaitai/underflow parse failures in exception cause chains |
| sshlib/src/main/kotlin/org/connectbot/sshlib/client/SshConnection.kt | Wrap Kaitai parse failures from packet loop into a transport-level error (needs adjustment) |
| sshlib/src/main/kotlin/org/connectbot/sshlib/client/AgentProtocolHandler.kt | Treat Kaitai parse failures as malformed agent requests and return SSH_AGENT_FAILURE |
| sshlib/src/test/kotlin/org/connectbot/sshlib/transport/PacketIOTest.kt | Add regression test for wrapping Kaitai validation failures |
| sshlib/src/test/kotlin/org/connectbot/sshlib/SshClientTest.kt | Add regression test for connect returning ProtocolError on malformed server packet |
| sshlib/src/test/kotlin/org/connectbot/sshlib/protocol/KaitaiLengthValidationTest.kt | New tests asserting Kaitai valid length/count validations trip correctly |
| sshlib/src/test/kotlin/org/connectbot/sshlib/AgentProtocolTest.kt | Add tests for rejecting malformed agent frames/payloads and not masking provider exceptions |
| protocol/src/main/resources/kaitai/ascii_string.ksy | Add remaining-bytes validation to length field |
| protocol/src/main/resources/kaitai/byte_string.ksy | Add remaining-bytes validation to length field |
| protocol/src/main/resources/kaitai/ecdsa_signature_blob.ksy | Add remaining-bytes validation to blob length |
| protocol/src/main/resources/kaitai/encrypted_packet.ksy | Validate encrypted payload length matches remaining bytes (excluding MAC) |
| protocol/src/main/resources/kaitai/etm_mac.ksy | Validate encrypted packet length matches remaining bytes |
| protocol/src/main/resources/kaitai/mpint.ksy | Add remaining-bytes validation to length field |
| protocol/src/main/resources/kaitai/name_list.ksy | Add remaining-bytes validation to entries length |
| protocol/src/main/resources/kaitai/restrict_destination_constraint.ksy | Bound keyspec counts by remaining bytes |
| protocol/src/main/resources/kaitai/ssh_agent_identities_answer.ksy | Bound identity count by remaining bytes |
| protocol/src/main/resources/kaitai/ssh_agent_message.ksy | Validate agent frame length matches remaining bytes |
| protocol/src/main/resources/kaitai/ssh_msg_ext_info.ksy | Bound extension count by remaining bytes |
| protocol/src/main/resources/kaitai/ssh_msg_userauth_info_request.ksy | Bound prompt count by remaining bytes |
| protocol/src/main/resources/kaitai/ssh_msg_userauth_info_response.ksy | Bound response count by remaining bytes |
| protocol/src/main/resources/kaitai/ssh_public_key.ksy | Add remaining-bytes validation to algorithm name length |
| protocol/src/main/resources/kaitai/ssh_signature.ksy | Add remaining-bytes validation to algorithm name length |
| protocol/src/main/resources/kaitai/unencrypted_packet.ksy | Validate packet framing fields (len_packet, padding length) |
| protocol/src/main/resources/kaitai/userauth_request_gssapi_with_mic.ksy | Bound mechanism count by remaining bytes |
| protocol/src/main/resources/kaitai/utf8_string.ksy | Add remaining-bytes validation to length field |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
kruton
force-pushed
the
kaitai-struct-sizes
branch
2 times, most recently
from
0d33a57 to
6c8311e
Compare
kruton
force-pushed
the
kaitai-struct-sizes
branch
2 times, most recently
from
b7f9a25 to
4d40972
Compare
kruton
force-pushed
the
kaitai-struct-sizes
branch
from
4d40972 to
5b7aa81
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Let Kaitai Struct handle more of the validation logic by supplying the expected sizes where possible.
Fixes GHSA-ch3q-cw5r-f4hg