Skip to content

fix: harden security and improve performance across the codebase#28

Merged
johnny-emp merged 2 commits intomainfrom
feat/storage-security-fixes
Feb 13, 2026
Merged

fix: harden security and improve performance across the codebase#28
johnny-emp merged 2 commits intomainfrom
feat/storage-security-fixes

Conversation

@johnny-emp
Copy link
Contributor

@johnny-emp johnny-emp commented Feb 13, 2026
edited
Loading

Summary

  • Security: Prevent path traversal in checkpoint storage, fix SQL injection in vector_init(), replace raw SQL filter in knn_filtered() with structured VectorFilter API, add extension path validation
  • Performance: Migrate std::sync::Mutex to parking_lot::Mutex in hot paths (file-log, sqlite, lmdb), remove unused memmap2 dependency
  • Robustness: Add MAX_DECLARED_KEYS (10,000) limit to guard against DoS via excessive key declarations, eliminate 50+ .lock().unwrap() calls

Changes

Security (High/Medium priority)

Fix Location Risk
Path traversal in checkpoint LocalStorage checkpoint.rs High
SQL injection in vector_init() extension.rs Medium
Raw SQL filter replaced with VectorFilter search.rs Medium
Extension path .. / symlink rejection extension.rs Low

Performance

Change Location
std::sync::Mutexparking_lot::Mutex azoth-file-log, azoth-sqlite, azoth-lmdb
Remove .lock().unwrap() (50+ sites) All crates using projection/event-log mutexes
Remove unused memmap2 dependency azoth-file-log, workspace root

Robustness

Change Location
MAX_DECLARED_KEYS = 10,000 enforced in all execute paths transaction.rs

Test plan

  • cargo check --workspace passes
  • cargo test --workspace passes (240+ tests, 0 failures)
  • Verify checkpoint path traversal rejection with crafted ids
  • Verify VectorFilter produces correct SQL in integration tests
  • Verify vector_init rejects injection payloads

johnny-emp and others added 2 commits February 13, 2026 17:42
@johnny-emp @cursoragent
fix: harden security and improve performance across the codebase
622fac5 
Security:
- Prevent path traversal in checkpoint LocalStorage (upload/download/delete)
- Fix SQL injection in vector_init() by using validate_sql_identifier()
- Replace raw SQL filter string in knn_filtered() with structured VectorFilter API
- Add extension path validation to reject ".." components and symlinks

Performance:
- Migrate std::sync::Mutex to parking_lot::Mutex in hot paths (file-log, sqlite, lmdb)
- Remove all .lock().unwrap() calls (parking_lot doesn't poison)
- Remove unused memmap2 dependency from azoth-file-log

Robustness:
- Add MAX_DECLARED_KEYS (10,000) limit to prevent DoS via excessive key declarations

Co-authored-by: Cursor <cursoragent@cursor.com>
@johnny-emp
format
7a5846c
@johnny-emp johnny-emp merged commit 8e81364 into main Feb 13, 2026
8 checks passed
@johnny-emp johnny-emp deleted the feat/storage-security-fixes branch February 13, 2026 22:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@johnny-emp