TrafficManagement: don't learn identity from a signer's unsigned NodeInfo#11035
Conversation
…Info The NodeInfo direct-response path opportunistically called updateUser() with the requester's decoded User. That path only sees unicast NodeInfo, which is never signed, so for a node already known to sign its broadcasts the identity claim is unauthenticated and would overwrite the stored name. Skip the identity update when the sender is a known signer and the packet is unsigned; non-signers are still learned as before, and the cached direct response is unchanged.
📝 WalkthroughWalkthroughTraffic management now skips requester identity decoding for unsigned claims from known XEdDSA signers during NodeInfo direct responses. Tests cover cache handling, direct replies, and preservation of the stored signer name. ChangesNodeInfo signer validation
Estimated code review effort: 2 (Simple) | ~10 minutes Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
test/test_traffic_management/test_main.cpp (1)
607-612: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueCondense multi-line comments to comply with guidelines.
As per coding guidelines, comments should be kept minimal—one or two lines maximum. Consider shortening these explanatory blocks to match the convention:
test/test_traffic_management/test_main.cpp#L607-L612: condense the 5-line explanation into one or two lines (e.g., "Verify unsigned unicast NodeInfo requests from known signers do not overwrite their stored identity...").test/test_traffic_management/test_main.cpp#L113-L115: condense the 3-line explanation into a shorter description.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@test/test_traffic_management/test_main.cpp` around lines 607 - 612, Condense the explanatory comments in test/test_traffic_management/test_main.cpp at lines 607-612 and 113-115 to one or two concise lines each, preserving their purpose and distinguishing the signed/unsigned NodeInfo identity-learning behavior; no code changes are needed.Source: Coding guidelines
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@test/test_traffic_management/test_main.cpp`:
- Around line 607-612: Condense the explanatory comments in
test/test_traffic_management/test_main.cpp at lines 607-612 and 113-115 to one
or two concise lines each, preserving their purpose and distinguishing the
signed/unsigned NodeInfo identity-learning behavior; no code changes are needed.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro Plus
Run ID: 77ac09a0-818f-4a89-9923-6fbbe6319b6a
📒 Files selected for processing (2)
src/modules/TrafficManagementModule.cpptest/test_traffic_management/test_main.cpp
⚡ Try this PR in the Web FlasherNote Building this pull request… the flash button, badges and supported-board |
The NodeInfo direct-response path in
TrafficManagementModuleanswered a unicast NodeInforequest from cache and, as a side effect, called
nodeDB->updateUser()with the requester'sdecoded
Userto keep the NodeDB fresh.That path only handles unicast NodeInfo (
!isBroadcast(mp.to)), and unicast NodeInfo is neversigned. So for a node already learned as an XEdDSA signer, the identity carried here cannot be
authenticated the way its signed broadcasts are - the stored
long_name/short_namewould beoverwritten from an unverified claim.
Skip the identity update when the sender is a known signer and the packet is unsigned. Nodes that
have never signed are learned exactly as before (their identity is not signature-protected
anywhere), and the cached direct response - public info sent back to the requester - is unchanged.
Behavior change: a known signer's
Userfields are no longer updated from a unicast NodeInforequest on this path; they continue to update from that node's signed broadcast NodeInfo.
Test (test_traffic_management): a known signer's unicast NodeInfo request still gets a cached
response but no longer overwrites the stored name; the existing non-signer test is the control
that identity learning is otherwise preserved.
Summary by CodeRabbit
Bug Fixes
Tests