hardening and docs #562
Open
hardening and docs #562
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…tection Make fdw_package_checksum a required option for all WASM FDW servers. This ensures supply chain integrity by requiring verification of WASM package contents before execution. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…error messages Add sanitize_error_message() utility to automatically mask sensitive values like API keys and tokens in error messages before they're displayed to users. - Add utils.rs with credential masking functions - Export sanitize_error_message in prelude - Add ProtectedOptionValue for tracking credentials in options - Apply credential masking to all HTTP-based FDWs: - Stripe, Airtable, Firebase, Logflare, Auth0, Cognito, DuckDB Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
…ed FDWs Add protection against DoS attacks via maliciously large HTTP responses. Each HTTP-based FDW now has a configurable max_response_size option (default: 10 MB) that rejects responses exceeding the limit. Affected FDWs: - Stripe: ResponseTooLarge error with size checking - Airtable: ResponseTooLarge error with size checking - Firebase: ResponseTooLarge error with size checking - Logflare: Changed from .json() to .text() for size checking - Auth0: ResponseTooLarge error type added - Cognito: ResponseTooLarge error type added Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add comprehensive security documentation and tests for the Wrappers platform: - SECURITY.md: Platform-wide security documentation covering: - Supply chain security (WASM package verification) - Credential masking in error messages - Response size limits - wasm-wrappers/tests/test_wasm_security.sql: Platform-wide security tests - Supply chain verification tests - Credential masking tests Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR implements platform-wide security improvements across the Wrappers project to protect against supply chain attacks, credential leakage, and denial-of-service attacks.
Changes:
- Added mandatory
fdw_package_checksumrequirement for WASM FDW servers to prevent loading tampered packages - Implemented
sanitize_error_message()utility that automatically masks API keys and sensitive credentials in error messages - Added configurable
max_response_sizeoption (default: 10 MB) to HTTP-based FDWs to prevent DoS attacks via oversized responses - Created comprehensive security documentation and test suite
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| wrappers/src/fdw/wasm_fdw/wasm_fdw.rs | Adds required checksum validation to prevent supply chain attacks |
| wrappers/src/fdw/stripe_fdw/stripe_fdw.rs | Implements response size limits and struct field for max_response_size |
| wrappers/src/fdw/stripe_fdw/mod.rs | Adds credential sanitization to error handler and ResponseTooLarge error variant |
| wrappers/src/fdw/logflare_fdw/mod.rs | Adds credential sanitization to error handler and ResponseTooLarge error variant |
| wrappers/src/fdw/logflare_fdw/logflare_fdw.rs | Implements response size limits |
| wrappers/src/fdw/firebase_fdw/mod.rs | Adds credential sanitization to error handler and ResponseTooLarge error variant |
| wrappers/src/fdw/firebase_fdw/firebase_fdw.rs | Implements response size limits |
| wrappers/src/fdw/duckdb_fdw/mod.rs | Adds credential sanitization to error handler |
| wrappers/src/fdw/cognito_fdw/mod.rs | Adds credential sanitization to error handler and ResponseTooLarge error variant (not fully implemented) |
| wrappers/src/fdw/auth0_fdw/auth0_fdw.rs | Adds credential sanitization to error handler and ResponseTooLarge error variant (not fully implemented) |
| wrappers/src/fdw/auth0_fdw/auth0_client/mod.rs | Adds credential sanitization to Auth0 client error handler |
| wrappers/src/fdw/airtable_fdw/mod.rs | Adds credential sanitization to error handler and ResponseTooLarge error variant |
| wrappers/src/fdw/airtable_fdw/airtable_fdw.rs | Implements response size limits |
| wasm-wrappers/tests/test_wasm_security.sql | New security test suite covering supply chain protection and credential masking |
| wasm-wrappers/tests/README.md | Documentation for platform-wide security tests |
| supabase-wrappers/src/utils.rs | Core credential masking utilities implementation |
| supabase-wrappers/src/options.rs | Prevents credential leakage in UTF-8 validation errors |
| supabase-wrappers/src/lib.rs | Exports credential masking utilities in prelude |
| SECURITY.md | New platform-wide security documentation |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Auth0 and Cognito use different architectures (HTTP client / AWS SDK) that make response size checking impractical. Remove the unused error variants to avoid dead code. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The credential masking logic had two bugs: 1. The patterns array was created but never used - the code just did a simple string find 2. Only the first occurrence of each sensitive name was masked Now uses a while loop to find and mask ALL occurrences of each sensitive credential type in the message. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Document the configurable max_response_size feature including: - Protection mechanism description - Configuration example with SQL - Default value (10 MB) - Supported FDWs table - Error behavior example - Implementation notes Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The explicit re-exports of is_sensitive_option, mask_credential_value, mask_credentials_in_message, and sanitize_error_message are redundant since `pub use crate::utils::*` already exports all public items. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
kiwicopple
commented
Jan 22, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 19 out of 19 changed files in this pull request and generated 8 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The test now: 1. First checks all failure cases (any unmasked credential patterns) 2. Then determines the specific pass case with clearer messaging 3. Logs the actual error when credential wasn't in error path This avoids the ambiguous ELSE branch that could mask issues where the credential masking code wasn't being invoked at all. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Fixed several bugs in mask_credentials_in_message(): - Use position-based searching with search_start to track progress - Use lower_name.len() instead of sensitive_name.len() for correctness - Continue past unprocessable matches instead of breaking (which caused infinite loops when no '=' found, unclosed quotes, or empty values) Also improved Auth0 error sanitization comment to be more accurate. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The size check happens after the response is read into memory, which means extremely large responses could temporarily consume memory before being rejected. Document this limitation and suggest network-level controls for stronger protection. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
OptionsError::OptionValueIsInvalidUtf8 was changed to a struct variant with named field 'option_name' but instance.rs was still using tuple variant syntax. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Clippy requires using strip_prefix() instead of starts_with() followed by manual slicing with [1..]. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
The max_response_size parsing in FDWs uses OptionsError::OptionParsingError but the variant was missing from the enum definition. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add instructions to run cargo fmt, cargo check, and cargo clippy before committing to avoid CI failures. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Local file:// URLs don't need supply chain protection since they reference locally-built WASM packages. Only require fdw_package_checksum for remote (non-file://) URLs. This fixes the wasm_smoketest which uses local file:// URLs. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
This PR adds platform-wide security improvements to the Wrappers project:
fdw_package_checksumrequired for all WASM FDW servers to prevent loading tampered packagessanitize_error_message()utility that automatically masks API keys and tokens in error messages before they're displayed to usersmax_response_sizeoption (default: 10 MB) to all HTTP-based FDWs to prevent DoS via maliciously large responsesSECURITY.mdand security test suiteAffected FDWs