Skip to content

HIGH: Add integrity check for unsafe deserialize_unchecked in artifact loading #54

Open
Open
HIGH: Add integrity check for unsafe deserialize_unchecked in artifact loading#54
Labels
securitySecurity vulnerabilities and audit findings
@AlexMikhalev

Description

@AlexMikhalev
AlexMikhalev
opened on Feb 24, 2026

Security Finding - HIGH

Source: Security audit (2026-02-24)
Location: crates/terraphim-automata/src/sharded_extractor.rs:215

Description

DoubleArrayAhoCorasick::deserialize_unchecked(bytes) is called on file data from disk with no integrity verification. If artifact files are tampered with, this could cause undefined behavior.

Remediation

  1. Add SHA-256 checksum to ArtifactHeader and validate before deserialization
  2. Consider using safe deserialize variant if available in daachorse
  3. Document trust boundary: artifact files must be generated locally

Metadata

Metadata

Assignees

No one assigned

    Labels

    securitySecurity vulnerabilities and audit findings

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions