Skip to content

fix: fail-closed expiry enforcement in verify_hmac_and_expiry#176

Open
brendanjryan wants to merge 3 commits intomainfrom
fix/fail-closed-expiry-enforcement-v2
Open

fix: fail-closed expiry enforcement in verify_hmac_and_expiry#176
brendanjryan wants to merge 3 commits intomainfrom
fix/fail-closed-expiry-enforcement-v2

Conversation

@brendanjryan
Copy link
Copy Markdown
Collaborator

@brendanjryan brendanjryan commented Mar 30, 2026
edited
Loading

Summary

Enforces fail-closed behavior for the expires field in verify_hmac_and_expiry. Previously, credentials with no expires field were silently accepted. Now they are rejected with a CredentialMismatch error.

@brendanjryan
fix: fail-closed expiry enforcement in verify_hmac_and_expiry
2153f8c 
Previously, credentials with no expires field were silently accepted.
Now verify_hmac_and_expiry rejects credentials missing the required
expires field, enforcing fail-closed behavior.

Session challenge generation paths (session_challenge and
session_challenge_with_details) now default to a 5-minute expiry
matching the charge challenge behavior, since all verification
paths require expires.

Adds test_missing_expires_rejected to verify the new enforcement.

MPP-F4
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 30, 2026
edited
Loading

✅ Changelog found on PR.

Edit changelog

This was referenced Mar 30, 2026
Merged
Merged
@brendanjryan
test: add session path expiry enforcement tests
27aee13 
- test_session_missing_expires_rejected: verify_session rejects None expires
- test_session_default_expires_accepted: session_challenge() sets default expires
- test_session_challenge_with_details_default_expires: details variant also defaults
@brendanjryan
chore: add changelog entry
9d0a9b8
@brendanjryan brendanjryan added the cyclops Trigger Cyclops PR audit label Mar 31, 2026
@tempoxyz-bot
Copy link
Copy Markdown

tempoxyz-bot commented Mar 31, 2026
edited
Loading

👁️ Cyclops Security Review

9d0a9b8

🧭 Auditing · mode=normal · workers 0/3 done (3 left) · verify pending 1

Worker Engine Progress Status
pr-176-w1 gemini-3.1-pro-preview 🚨 thread-1 🔍 thread-2 · Running
pr-176-w2 amp/deep 🚨 thread-1 🔍 thread-2 · Running
pr-176-w3 gpt-5.4 🔍 thread-1 · · Running

Findings

# Finding Severity Verification Threads
1 Default 5-minute session expiry self-destructs Tempo sessions Medium ⚠️ Partial audit · verify
2 Incomplete Expiry Enforcement Causes Denial of Service and Bypasses PR Fix High ⏳ Pending audit
⚙️ Controls
  • 🚀 Keep only 1 remaining iteration per worker after the current work finishes.
  • 👀 Keep only 2 remaining iterations per worker after the current work finishes.
  • ❤️ Let only worker 1 continue; other workers skip queued iterations.
  • 😄 Let only worker 2 continue; other workers skip queued iterations.
  • 🎉 End faster by skipping queued iterations and moving toward consolidation.
  • 😕 Stop active workers/verifiers now and start consolidation immediately.
📜 12 events

🔍 pr-176-w1 iter 1/3 [audit-ripple.md]
🔍 pr-176-w2 iter 1/3 [audit-focused.md]
🔍 pr-176-w3 iter 1/3 [audit-deep-focus.md]
🚨 pr-176-w2 iter 1 — finding | Thread
🚨 Finding: Default 5-minute session expiry self-destructs Tempo sessions (Medium) | Thread
🔍 pr-176-w2 iter 2/3 [audit-ripple.md]
🔬 Verifying: Default 5-minute session expiry self-destructs Tempo sessions | Thread
🚨 pr-176-w1 iter 1 — finding | Thread
🚨 Finding: Incomplete Expiry Enforcement Causes Denial of Service and Bypasses PR Fix (High) | Thread
🔍 pr-176-w1 iter 2/3 [audit-historical.md]
🔬 Verifying: Incomplete Expiry Enforcement Causes Denial of Service and Bypasses PR Fix | Thread
📋 Verify: Default 5-minute session expiry self-destructs Tempo sessions⚠️ Partial | Thread

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mattsse mattsse Awaiting requested review from mattsse mattsse is a code owner

@onbjerg onbjerg Awaiting requested review from onbjerg onbjerg is a code owner

@Slokh Slokh Awaiting requested review from Slokh Slokh is a code owner

Assignees

No one assigned

Labels

cyclops Trigger Cyclops PR audit

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brendanjryan @tempoxyz-bot