clients/c: apply audit findings — security + CVE bump (a69e924 → new)
HIGH:
- H1: enlarge test base_with_slash buffer 64 → 80; cmake --build now
clean under -Werror=format-truncation.
- H2: CURLOPT_FOLLOWLOCATION = 0 (no cross-host bearer leak; SDK talks
to a known endpoint, redirects unexpected). MAXREDIRS dropped.
- H3: cf_admin_revoke_token validates name [A-Za-z0-9_-]+ client-side
before URL build; rejects "a/../healthz" with CF_ERR_USAGE before
the request leaves the process.
MEDIUM:
- M1: cf_buf_append overflow guards — n + len + 1 wrap-check up front;
newcap *= 2 doubling-loop bounded by SIZE_MAX/2.
- M2: 64 MiB CF_MAX_RESPONSE_BYTES cap exposed on the public header;
write_cb aborts the transfer once exceeded → CF_ERR_TRANSPORT.
- M3: CURLOPT_CONNECTTIMEOUT_MS = 10000 (was implicit 300s default).
- M4: g_curl_init_count is now _Atomic int (C11 stdatomic) using
atomic_fetch_add/sub; concurrent cf_client_new/cf_client_free across
threads no longer races the libcurl global init/cleanup transition.
LOW:
- L1: push_auth propagates CF_ERR_OOM via an out-param instead of
silently dropping the Authorization header (which previously surfaced
as a misleading 401 from the server).
- L2: write_cb size*nmemb overflow defensive guard.
CVE:
- Bump vendored cJSON 1.7.15 → 1.7.18 (fixes CVE-2024-31755:
cJSON_SetValuestring NULL-deref). cJSON.c/cJSON.h replaced from
upstream tag v1.7.18; LICENSE file unchanged. README updated.
Tests added (15 → 21):
- test_revoke_token_validates_name: path-traversal name rejected,
valid name proceeds through to transport.
- test_buf_append_overflow_guards: synthetic SIZE_MAX-edge inputs
trigger error-return rather than wrap.
- test_response_body_size_cap: mock streams 65 MiB; client aborts
with CF_ERR_TRANSPORT.
- test_connect_timeout: dial 10.255.255.1, assert <18s wallclock
(vs. libcurl's 300s default).
- test_concurrent_client_init: 4 pthreads × 50 iters, no crash, no
leak under valgrind.
- test_cjson_bump: cJSON_SetValuestring(node, NULL) returns NULL
safely; malformed cJSON_Parse returns NULL.
Verification:
- cmake --build build (Release): clean
- ctest --test-dir build: 21/21 pass (incl. 10s connect-timeout test)
- ctest --test-dir build-asan (ASan + UBSan): clean
- valgrind --leak-check=full: 10,313 allocs == 10,313 frees, 0 errors,
0 leaks
README updated: cJSON 1.7.18 note, C11 + stdatomic requirement.
Audit: memory/clawdforge-audits/c-a69e924.md
Kayos
70f4dcc2a4