zat.dev / zat
atproto utils for zig zat.dev
atproto sdk zig
26
fork

Configure Feed

Select the types of activity you want to include in your feed.

harden identity network resolution #1

open opened by zzstoatzz.io targeting main from codex/identity-network-safety

Summary#

Adds network safety for identity resolution paths:

  • Rejects non-routable identity hosts and resolved A/AAAA answers
  • Uses DoH preflight before did:web and HTTP handle fetches
  • Dials the checked resolved address while preserving the original host for TLS/SNI
  • Disables redirects for identity and DoH fetches
  • Adds response size caps for DID docs, handle well-known responses, and DoH responses

Validation#

  • zig build test --summary all -freference-trace
  • just check && just test
  • Live identity smoke for zat.dev
  • Malicious DoH smoke returning 127.0.0.1
  • Response cap smoke
  • Resolved-dial smoke
  • atproto-bench temporary proof with local zat override
Labels

None yet.

assignee

None yet.

Participants 1
AT URI
at://did:plc:xbtmt2zjwlrfegqvch7fboei/sh.tangled.repo.pull/3mk7n24udzj22
Diff #0

No differences found between the selected revisions.

History

1 round 0 comments
sign up or login to add to the discussion
zzstoatzz.io submitted #0
patch application failed: error: No valid patches in input (allow with "--allow-empty")
expand 0 comments