Harden security, performance, and DoS resilience across workspace - Fix TOCTOU race in vault permission check (fstat on fd, not path)

  - Add constant-time token comparison via subtle::ConstantTimeEq
  - Use Docker file-based secrets instead of env vars for passphrase
  - Validate config paths (absolute only, reject ..) via garde
  - Add JSON depth check (max 64) on webhook payloads
 DoS hardening closes 5 resource exhaustion vectors:
  - Cap actions per rule (100) and condition siblings per node (100)
  - Enforce minimum cron interval (60s) to prevent per-second abuse
  - Limit WriteFile action content to 10 MiB
  - Cap rule count at 10,000 per instance
  - Non-blocking webhook dispatch (try_send, 503 on full channel)                                                                                                          Performance fixes eliminate hot-path waste:                                                                                                             - Cache compiled regexes at add_rule() time (HashMap lookup vs recompile)                                                                                                       - Arc-wrap RuleMatch payload and actions (ref-count bump vs deep clone)                                                                                                              - Arc-wrap NativeConnectorHost in registry, derive Clone on                                                                                                                    CapabilityChecker — drop registry lock before connector network calls                                                                                                                  - Drop engine lock before cron/watcher unschedule in rule update/delete                                                                                                 API input validation:                                                                                                       - Clamp event query limit to 10,000                                                                                                              - Reject path parameters longer than 256 chars                                                                                                                - Bound event query limit on all endpoints                                                                                                        Shared module extraction (code deduplication):                                                                                                -deserialize_secret/deserialize_secret_option in springtale-connector
  - base64url_encode/urlencoded encoding helpers                                                                                                             - handle_json_response for typed API clients                                                                                                             - derive_api_token_hash in springtale-crypto                                                                                                             - Per-connector client::test_helpers mock modules

Author: radicalkjax

Cargo.lock

@@ -68,6 +68,7 @@ argon2           = "0.5"
 rand             = { version = "0.8",  features = ["getrandom", "std_rng"] }
 sha2             = "0.10"
 hmac             = "0.12"
+subtle           = "2"
 
 # ── Identifiers ────────────────────────────────────────────────────────────────
 uuid             = { version = "1",    features = ["v4", "serde"] }

Cargo.toml

@@ -8,7 +8,7 @@ use springtale_store::backend::sqlite::SqliteBackend;
 
 /// Initialize Springtale: create data directory, vault, SQLite database, and default config.
 pub async fn run() -> Result<()> {
-    let data_dir = data_dir();
+    let data_dir = springtale_store::paths::data_dir();
     println!("Initializing Springtale in {}", data_dir.display());
 
     // Create data directory
@@ -96,12 +96,3 @@ bind = "127.0.0.1:8080"
     Ok(())
 }
 
-fn data_dir() -> PathBuf {
-    std::env::var_os("XDG_DATA_HOME")
-        .map(PathBuf::from)
-        .or_else(|| {
-            std::env::var_os("HOME").map(|home| PathBuf::from(home).join(".local/share"))
-        })
-        .map(|base| base.join("springtale"))
-        .unwrap_or_else(|| PathBuf::from(".springtale"))
-}

README.md

@@ -87,7 +87,7 @@ pub async fn run(action: RuleAction, store: &SqliteBackend, json: bool) -> Resul
 
             // Load into engine and evaluate
             let mut engine = RuleEngine::new();
-            engine.add_rule(rule);
+            engine.add_rule(rule)?;
             let matches = engine.evaluate(&event);
 
             if matches.is_empty() {

apps/springtale-cli/src/commands/init.rs

@@ -62,27 +62,16 @@ fn open_store() -> Result<SqliteBackend> {
         }
         #[derive(serde::Deserialize, Default)]
         struct StoreSection {
-            #[serde(default = "default_db_path")]
+            #[serde(default = "springtale_store::paths::default_db_path")]
             path: std::path::PathBuf,
         }
 
         let config: PartialConfig = figment.extract().unwrap_or_default();
         config.store.path
     } else {
-        default_db_path()
+        springtale_store::paths::default_db_path()
     };
 
     SqliteBackend::open(&store_path)
         .map_err(|e| anyhow::anyhow!("failed to open store at {}: {e}", store_path.display()))
 }
-
-fn default_db_path() -> std::path::PathBuf {
-    std::env::var_os("XDG_DATA_HOME")
-        .map(std::path::PathBuf::from)
-        .or_else(|| {
-            std::env::var_os("HOME")
-                .map(|home| std::path::PathBuf::from(home).join(".local/share"))
-        })
-        .map(|base| base.join("springtale/springtale.db"))
-        .unwrap_or_else(|| std::path::PathBuf::from(".springtale/springtale.db"))
-}

apps/springtale-cli/src/commands/rule.rs

@@ -13,6 +13,7 @@ anyhow = { workspace = true }
 axum = { workspace = true }
 garde = { workspace = true }
 chrono = { workspace = true }
+subtle = { workspace = true }
 uuid = { workspace = true }
 tower = { workspace = true }
 tower-http = { workspace = true }

apps/springtale-cli/src/main.rs

@@ -2,6 +2,7 @@ use axum::extract::State;
 use axum::http::{Request, StatusCode};
 use axum::middleware::Next;
 use axum::response::Response;
+use subtle::ConstantTimeEq;
 
 use super::state::AppState;
 
@@ -12,7 +13,8 @@ use super::state::AppState;
 /// hash, which the user derives from their vault passphrase. This avoids
 /// managing a separate API key.
 ///
-/// Verification uses constant-time comparison to prevent timing attacks.
+/// Verification uses `subtle::ConstantTimeEq` (RustCrypto audited) to
+/// prevent timing attacks.
 pub async fn require_auth(
     State(state): State<AppState>,
     request: Request<axum::body::Body>,
@@ -30,23 +32,12 @@ pub async fn require_auth(
 
     let token_bytes = hex::decode(token).map_err(|_| StatusCode::UNAUTHORIZED)?;
 
-    // Constant-time comparison: the token IS the hash derived from the passphrase.
-    // The client computes it the same way the server did at boot time.
-    if token_bytes.len() != 32 || !constant_time_eq(&token_bytes, &state.api_token_hash) {
+    // Constant-time comparison via `subtle` crate (RustCrypto audited).
+    // The token IS the hash derived from the passphrase — client computes
+    // it the same way the server did at boot time.
+    if token_bytes.len() != 32 || bool::from(!token_bytes.ct_eq(&state.api_token_hash)) {
         return Err(StatusCode::UNAUTHORIZED);
     }
 
     Ok(next.run(request).await)
 }
-
-/// Constant-time byte comparison to prevent timing attacks.
-fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
-    if a.len() != b.len() {
-        return false;
-    }
-    let mut diff = 0u8;
-    for (x, y) in a.iter().zip(b.iter()) {
-        diff |= x ^ y;
-    }
-    diff == 0
-}

apps/springtaled/Cargo.toml

@@ -29,6 +29,7 @@ pub async fn remove(
     State(state): State<AppState>,
     Path(name): Path<String>,
 ) -> Result<impl IntoResponse, StatusCode> {
+    super::validate_path_param(&name)?;
     let mut registry = state.registry.write().await;
     registry
         .remove(&name)
@@ -42,6 +43,7 @@ pub async fn enable(
     State(state): State<AppState>,
     Path(name): Path<String>,
 ) -> Result<impl IntoResponse, StatusCode> {
+    super::validate_path_param(&name)?;
     let mut registry = state.registry.write().await;
     registry
         .enable(&name)
@@ -55,6 +57,7 @@ pub async fn disable(
     State(state): State<AppState>,
     Path(name): Path<String>,
 ) -> Result<impl IntoResponse, StatusCode> {
+    super::validate_path_param(&name)?;
     let mut registry = state.registry.write().await;
     registry
         .disable(&name)

apps/springtaled/src/api/auth.rs

@@ -22,6 +22,9 @@ fn default_limit() -> u32 {
     50
 }
 
+/// Maximum events per request. Prevents OOM from unbounded queries.
+const MAX_EVENT_LIMIT: u32 = 10_000;
+
 /// GET /events — paginated event log.
 ///
 /// Returns recent events (trigger type, connector, timestamp, action taken).
@@ -30,9 +33,11 @@ pub async fn list(
     State(state): State<AppState>,
     Query(params): Query<EventsQuery>,
 ) -> impl IntoResponse {
+    let clamped_limit = params.limit.min(MAX_EVENT_LIMIT);
+
     let filter = EventFilter {
         connector_name: params.connector.clone(),
-        limit: Some(params.limit),
+        limit: Some(clamped_limit),
         offset: if params.offset > 0 { Some(params.offset) } else { None },
         ..Default::default()
     };
@@ -42,7 +47,7 @@ pub async fn list(
     match events {
         Ok(events) => Json(serde_json::json!({
             "events": events,
-            "limit": params.limit,
+            "limit": clamped_limit,
             "offset": params.offset,
         })),
         Err(_) => Json(serde_json::json!({