fix: close panics and races the audit's own fixes left nearby

Second-pass review of the 54-commit self-correcting audit. Each item below
was confirmed by reading the surrounding source (and, where practical, the
pre-fix code) before being changed; regression tests are included for every
behavioral fix.

Concurrency:
- eventbus: Bus.Subscribe called wg.Add with no synchronization against a
  concurrent Bus.Stop's wg.Wait, a real "WaitGroup misuse" panic risk (e.g. a
  Telegram-bot settings save racing panel shutdown/restart). Stop now flips a
  mu-guarded `stopped` flag before waiting, and Subscribe checks it under the
  same lock, so Add and Wait can no longer race.

Security:
- login_limiter: evictForRoom's fallback eviction picked an arbitrary map
  key, including ones still under an active cooldown - an attacker flooding
  /login with fresh usernames could evict their own (or anyone's) blocked
  record and reset the lockout. The fallback now skips actively-blocked
  records, only falling back to an unconditional evict if the map is
  somehow entirely full of active blocks (preserves the hard memory cap).

Subscription-endpoint panics (reachable by any client hitting /sub):
- internal/sub/service.go: applyPathAndHostParams/Obj (ws/httpupgrade/xhttp
  with no path settings object) and the TLS alpn readers in three places
  used unchecked type assertions - exactly the bug class abab7cd0 patched
  elsewhere in the same switch statements, just not these call sites.
- internal/sub/json_service.go, clash_service.go: the externalProxy loops
  in the JSON and Clash generators used unchecked assertions on a
  legacy/admin-supplied field (missing "port", non-object entry, etc.).
- internal/sub/json_service.go: realityData's shortId/serverName selection
  could assert a non-string array element.

Other correctness:
- client_traffic.go: ResetAllTraffics (touched by 3eb214d0) still skipped
  clearing NodeClientTraffic node-sync baselines, unlike its sibling reset
  paths in the same file - a node's next sync would re-add pre-reset delta
  on top of the freshly-zeroed counter.
- inbound_traffic.go: the traffic-tick tx's Commit/Rollback errors were
  silently discarded; now logged so a backend-level commit failure (e.g. an
  aborted Postgres tx from a best-effort helper) doesn't masquerade as a
  successful tick.
- outbound_subscription.go: the new subscriptionFetchClient doc comment was
  wedged between fetchAndStore's existing comment and fetchAndStore itself,
  leaving fetchAndStore undocumented and the comment describing the wrong
  function.

Convention cleanup:
- Removed narrative // comments added by the audit that violate this repo's
  no-inline-comment rule (mostly narrating the specific bug/fix rather than
  a lasting contract, and mostly on new Test functions, which this repo's
  existing tests never comment) - calibrated against this exact codebase's
  own pre-existing comment style so legitimate godoc-style doc comments
  were left alone.
This commit is contained in:
claude[bot]
2026-07-15 11:59:30 +00:00
parent a862680645
commit fbad71d620
35 changed files with 179 additions and 147 deletions
+30 -3
View File
@@ -2,13 +2,11 @@ package controller
import (
"strconv"
"strings"
"testing"
"time"
)
// An unauthenticated attacker can flood /login with fresh usernames, each of
// which seeds a record keyed on that username. The attempts map must stay
// bounded rather than growing until the process OOMs.
func TestLoginLimiterBoundsMemoryUnderUsernameFlood(t *testing.T) {
limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
for i := 0; i < loginLimitMaxRecords+100; i++ {
@@ -24,6 +22,35 @@ func TestLoginLimiterBoundsMemoryUnderUsernameFlood(t *testing.T) {
}
}
func TestLoginLimiterEvictionSparesActiveBlocks(t *testing.T) {
now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)
limiter.now = func() time.Time { return now }
limiter.mu.Lock()
for i := 0; i < loginLimitMaxRecords-1; i++ {
limiter.attempts["victim-"+strconv.Itoa(i)] = &loginLimitRecord{blockedUntil: now.Add(10 * time.Minute)}
}
limiter.attempts["filler"] = &loginLimitRecord{failures: []time.Time{now}}
limiter.mu.Unlock()
if _, blocked := limiter.registerFailure("9.9.9.9", "newcomer"); blocked {
t.Fatal("the eviction-triggering failure itself should not be blocked yet")
}
limiter.mu.Lock()
defer limiter.mu.Unlock()
survivors := 0
for key, record := range limiter.attempts {
if strings.HasPrefix(key, "victim-") && now.Before(record.blockedUntil) {
survivors++
}
}
if survivors != loginLimitMaxRecords-1 {
t.Fatalf("eviction under a full map dropped an actively-blocked record: %d/%d victims survived", survivors, loginLimitMaxRecords-1)
}
}
func TestLoginLimiterBlocksAfterConfiguredFailures(t *testing.T) {
now := time.Date(2026, 5, 6, 12, 0, 0, 0, time.UTC)
limiter := newLoginLimiter(5, 5*time.Minute, 15*time.Minute)