File: crates/state/src/dag.rs:129
Severity: robustness (availability/DoS)
Obvious? yes
EventDag::insert checks MAX_EVENT_DEPS and MAX_ENCRYPTED_KEY_BYTES but no other variant payloads. EventKind::Message.body, EditMessage.new_body, SetServerDescription.description, CreateServer.name, RenameServer.new_name, CreateChannel.name/channel_id, RenameChannel.new_name, CreateRole.name/role_id, SetProfile.display_name, Reaction.emoji, DeleteChannel.channel_id — all unbounded String fields. A peer holding SendMessages (or any author once joined) can broadcast a single event with a multi-MB body, forcing every receiver to clone it into the DAG plus into materialised state on every replay. Sibling cap to PR #583's Content::File filename cap.
Fix: introduce per-field byte caps (e.g. MAX_MESSAGE_BODY_BYTES, MAX_NAME_BYTES, MAX_CHANNEL_ID_BYTES) and reject in insert before signature verify (preserves the cap-before-verify ordering established by #519).
Filed by /general-audit @ 88498a5 (2026-05-04). master: #600.
File:
crates/state/src/dag.rs:129Severity: robustness (availability/DoS)
Obvious? yes
EventDag::insertchecksMAX_EVENT_DEPSandMAX_ENCRYPTED_KEY_BYTESbut no other variant payloads.EventKind::Message.body,EditMessage.new_body,SetServerDescription.description,CreateServer.name,RenameServer.new_name,CreateChannel.name/channel_id,RenameChannel.new_name,CreateRole.name/role_id,SetProfile.display_name,Reaction.emoji,DeleteChannel.channel_id— all unboundedStringfields. A peer holdingSendMessages(or any author once joined) can broadcast a single event with a multi-MBbody, forcing every receiver to clone it into the DAG plus into materialised state on every replay. Sibling cap to PR #583'sContent::Filefilename cap.Fix: introduce per-field byte caps (e.g.
MAX_MESSAGE_BODY_BYTES,MAX_NAME_BYTES,MAX_CHANNEL_ID_BYTES) and reject ininsertbefore signature verify (preserves the cap-before-verify ordering established by #519).Filed by
/general-audit@88498a5(2026-05-04). master: #600.