Scurbber crate #32
Open
arminsabouri wants to merge 3 commits into
Open
Conversation
arminsabouri
changed the title
arminsabouri
force-pushed
the
scurbber-crate
branch
5 times, most recently
from
12b7c43 to
32f0d26
Compare
bc1cindy
reviewed
Jun 2, 2026
| prop-tests = [] | ||
|
|
||
| [dependencies] | ||
| psbt-v2 = "0.3.0" No newline at end of file |
| } | ||
| out.push(0x00); | ||
|
|
||
| for map_idx in 0..(n_inputs + n_outputs) { |
There was a problem hiding this comment.
n_inputs + n_outputs overflows, both are attacker-controlled u64 (VarInt counts, up to u64::MAX in 9 bytes). with INPUT_COUNT=u64::MAX, OUTPUT_COUNT=1 it panics under overflow-checks (dev/the nix check profile) and wraps to 0 in release. suggest checked_add → InvalidGlobal?
| [features] | ||
| default = ["unit-tests", "prop-tests"] | ||
| unit-tests = [] | ||
| prop-tests = [] |
There was a problem hiding this comment.
seems good to have a proptest to assert no out-of-allowlist field survives
Key type bytes overlap across PSBT map types. For example, 0x06 is TX_MODIFIABLE in global but BIP32_DERIVATION in inputs. So filtering requires map context. Buffers the global map to detect version and counts (INPUT_COUNT/ OUTPUT_COUNT for v2, UNSIGNED_TX parsed via Transaction::consensus_decode for v0), then streams remaining maps with per-map allowlists for global, input, and output. Pair::decode is pub(crate) in psbt-v2 0.3.0; worked around with a PairDecode extension trait replicating the upstream logic.
arminsabouri
force-pushed
the
scurbber-crate
branch
from
32f0d26 to
6321cda
Compare
arminsabouri
force-pushed
the
scurbber-crate
branch
from
4569415 to
bceac82
Compare
arminsabouri
force-pushed
the
scurbber-crate
branch
from
bceac82 to
0d53d53
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implementation of payjoin/multiparty-protocol-docs#6.
Key type bytes overlap across PSBT map types. For example, 0x06 is TX_MODIFIABLE in
global but BIP32_DERIVATION in inputs. So filtering requires map context.
Buffers the global map to detect version and counts (INPUT_COUNT/
OUTPUT_COUNT for v2, UNSIGNED_TX parsed via Transaction::consensus_decode
for v0), then streams remaining maps with per-map allowlists for global,
input, and output.
Pair::decode is pub(crate) in psbt-v2 0.3.0; worked around with a
PairDecode extension trait replicating the upstream logic.