Commit Graph

32 Commits

Author SHA1 Message Date
3f36c303c2 feat(history): flat-file backend with bidirectional SQLite migration
All checks were successful
CI Code / Check spelling (push) Successful in 21s
CI Code / Check coding style (push) Successful in 31s
CI Code / Code Coverage (push) Successful in 2m21s
CI Code / Linux (ubuntu) (push) Successful in 4m30s
CI Code / Linux (debian) (push) Successful in 6m43s
CI Code / Linux (arch) (push) Successful in 10m8s
A flat-file alternative to the SQLite chatlog backend with runtime
switching, full migration tooling, integrity verification, and a
synthetic load harness. SQLite remains the default; both backends share
one dispatch layer (db_backend_t vtable) so callers don't change.

Storage layout
- Per-contact append-only `flatlog/<account>/<contact>/history.log`
  under XDG_DATA_HOME, one line per message
- Single-line file header with embedded format-version marker
  (FLATFILE_FORMAT_VERSION); reader warns on missing or mismatched
  marker, writer and checker stay in sync via preprocessor
  stringification
- Deterministic key=value metadata (`id`, `aid`, `corrects`, `to`,
  `to_res`, `read`) plus escaped body \u2014 `\|`, `\]`, `\\`, `\n`, `\r`
  literals prevent log injection
- Sparse byte-offset index (FF_INDEX_STEP=500) per contact for
  O(log n) time-range lookups; rebuilt on inode / size / mtime
  change, extended in-place when the file just grew
- Per-contact GHashTable caches for archive_id presence and
  stanza_id \u2192 from_jid mapping (O(1) MAM dedup, O(1) LMC sender
  validation)

Hardening
- Path-traversal protection: JID directory name normalisation
  (`@` \u2192 `_at_`, slashes and `..` rejected at construction); every
  per-contact path is anchored under the account's flatlog/
  directory and validated before open
- Symlink-attack protection: every fopen / open uses O_NOFOLLOW; on
  ELOOP the operation aborts with an error rather than following
- Filesystem permissions: log files created with mode 0600,
  directories with mode 0700; both enforced at creation, verified
  on each open and reported on drift by `/history verify`
- Atomic crash-safe export: write to a temp file via mkstemp (mode
  0600, random suffix, no name collisions between concurrent
  exports), fsync, then rename \u2014 partial state never replaces the
  live file
- Concurrency: advisory flock(LOCK_EX) held for the duration of
  every write, including append from live messages and full rewrite
  from export, so two profanity processes can't interleave bytes
  on the same log
- DoS / abuse guards:
    * FF_MAX_LINE_LEN = 10 MB \u2014 lines longer than this are rejected
      at read with a warning; the parser will not allocate
      unbounded memory for a single record
    * FF_MAX_LMC_DEPTH = 100 \u2014 `corrects:` chain walk stops at this
      depth and emits a warning, preventing a malicious correction
      cycle from spinning the apply pass
    * FF_VERSION_SCAN_MAX = 16 \u2014 header version probe never reads
      past 16 leading comment lines, even on garbage input
    * Empty / inverted byte-range early-return in page-up read path
      so a malformed time filter cannot cause an unbounded scan
    * Zero-entry index guard so a file whose every line failed to
      parse cannot cause a NULL deref on later page-up
- LMC sender validation: an incoming correction whose sender does
  not match the original message's sender is rejected at write
  time and surfaced via cons_show_error; a cycle in the apply pass
  is broken via a visited-set
- jid_create_from_bare_and_resource treats NULL, empty string, and
  the literal "(null)" as no resource and returns a bare jid;
  similar normalisation for barejid eliminates the legacy
  "user@host/(null)" artefact that leaked into stored fulljids
  whenever g_strdup_printf("%s", NULL) ran inside create_fulljid

Commands
- `/history switch sqlite|flatfile` \u2014 runtime backend swap, closes
  the old backend and opens the new one without reconnecting
- `/history export [<jid>]` \u2014 SQLite -> flat-file, merging with any
  existing flatlog (dedup keyed on a SHA-256 hash mixing stanza_id,
  timestamp, from_jid, body \u2014 robust against id reuse by older
  clients)
- `/history import [<jid>]` \u2014 flat-file -> SQLite, same merge
  semantics, runs inside a single SQLite transaction with rollback
  on per-contact failure
- `/history verify [<jid>]` \u2014 integrity check; emits a structured
  list of issues (ERROR / WARNING / INFO) per file:
    * file-level: missing log, wrong permissions (\u2260 0600), UTF-8
      BOM present, CRLF line endings, empty file
    * line-level: invalid UTF-8 (with byte offset), embedded
      control characters, unparsable lines, timestamps out of
      order, duplicate `id:` and `aid:` (tracked separately so a
      stanza/archive id collision isn't double-reported)
    * cross-line: broken `corrects:` references whose target id is
      not present in the file
- `/history backend` \u2014 show currently active backend
- Active backend indicator `[sqlite]` / `[flatfile]` in the status
  bar next to the JID
- Roster-JID autocomplete for verify / export / import
- export and import open a SQLite handle on demand when the
  flatfile backend is currently active, so migration works
  regardless of which backend is live

Tests
- Unit: database_export (parser round-trip, escape/unescape, dedup
  key stability, JID normalisation), database_stress (14 cases
  exercising rapid writes, large messages, deep LMC chains, MAM
  dedup, concurrent contacts)
- Functional: history persistence across reconnects, export /
  import round-trip with content equality, MUC migration,
  timestamp normalisation across timezones
- Bench harness P1\u2013P5 (synthetic load: bulk insert, time-range
  read, page-up scroll, MAM ingest, mixed workload) and failure
  modes F1\u2013F17 (page-up cursor and forward-iteration symmetry,
  oversized lines, MAM dedup, LMC depth and cycles, BOM/CRLF,
  missing log, empty file, mtime+inode flip, broken corrects, etc.)
- All bench tests integrate with the existing make targets and
  emit CSV rows for baseline comparison

Author: jabber.developer2 <jabber.developer2@jabber.space>
Reviewed-by: jabber.developer <jabber.developer@jabber.space>
2026-05-05 19:26:07 +00:00
467222d0ca fix(ui,db): harden NULL handling, fix CWE-134, optimize iterations
Some checks failed
CI Code / Code Coverage (push) Failing after 10m34s
CI Code / Check spelling (push) Failing after 10m47s
CI Code / Check coding style (push) Failing after 11m4s
CI Code / Linux (ubuntu) (push) Failing after 11m19s
CI Code / Linux (debian) (push) Failing after 11m28s
CI Code / Linux (arch) (push) Failing after 11m38s
security(CWE-134): fix format string injections + add CI check
fix(ui): subwindow lifecycle, newwin/newpad guards, fallback timestamps
fix(db): sqlite cleanup on failures, sqlite3_close_v2
fix(xmpp): queued_messages loop, barejid leak
perf(core): g_hash_table_iter_init instead of g_hash_table_get_keys
refactor(ui): CLAMP macro in _check_subwin_width
test: XEP-0012 and XEP-0045 functional tests

Author: jabber.developer2
Closes #58, #85
2026-02-06 19:27:40 +01:00
f8826b7c79 ci: improve CI stability with parallel builds and Valgrind
All checks were successful
CI Code / Check spelling (push) Successful in 20s
CI Code / Check coding style (push) Successful in 33s
CI Code / Code Coverage (push) Successful in 4m47s
CI Code / Linux (debian) (push) Successful in 6m9s
CI Code / Linux (ubuntu) (push) Successful in 6m13s
CI Code / Linux (arch) (push) Successful in 6m19s
Major changes:
Run 4 build configurations in parallel with Valgrind on Linux
Add test failure detection verification (meta-test)
Port allocation per build to prevent conflicts in parallel runs
Add --coverage-only flag for dedicated coverage builds
Code quality:

Add TEST_GROUPS constant, CMOCKA patterns, helper functions
Organize ci-build.sh into sections
2026-02-02 17:47:05 +01:00
85c817ee8c ci: speed up builds 4x with parallel tests, coverage, and ccache
All checks were successful
CI Code / Check spelling (push) Successful in 18s
CI Code / Check coding style (push) Successful in 31s
CI Code / Code Coverage (push) Successful in 15m25s
CI Code / Linux (debian) (push) Successful in 15m57s
CI Code / Linux (ubuntu) (push) Successful in 16m0s
CI Code / Linux (arch) (push) Successful in 16m6s
Split functional tests into 4 parallel groups and add check-functional-parallel target (~3x faster CI runs).
Add branch-aware LCOV coverage reporting with new --enable-coverage option and lcov summary in CI pipeline.
Enable ccache via -C configure flag for faster recompilations.
Install lcov in all Docker images and use --depth 1 git clones + parallel make -j$(nproc) for quicker container builds.
Update CONTRIBUTING.md with instructions for parallel test groups and adding new ones.

All changes are tightly related CI/performance improvements developed in sequence. No external service uploads (e.g. Codecov skipped due to Gitea incompatibility).
2026-01-21 16:35:17 +01:00
a90eef1cb2 docs: update CONTRIBUTING.md to clarify functional test guidelines
All checks were successful
CI Code / Check coding style (pull_request) Successful in 29s
CI Code / Check spelling (pull_request) Successful in 17s
CI Code / Linux (debian) (pull_request) Successful in 1h5m29s
CI Code / Check coding style (push) Successful in 31s
CI Code / Check spelling (push) Successful in 17s
CI Code / Linux (arch) (push) Successful in 1h3m52s
CI Code / Linux (ubuntu) (pull_request) Successful in 1h4m41s
CI Code / Linux (arch) (pull_request) Successful in 1h7m14s
CI Code / Linux (debian) (push) Successful in 1h4m50s
CI Code / Linux (ubuntu) (push) Successful in 1h5m37s
2026-01-07 11:46:40 +01:00
48ab4b9360 feat: add Valgrind suppressions and update CI/docs
- Add prof.supp with pthread TLS suppressions
- Update ci-build.sh with test configurations
- Document functional test best practices in CONTRIBUTING.md
2026-01-07 11:46:40 +01:00
b4d3563b96 Cleanup (#5)
All checks were successful
CI / Check coding style (push) Successful in 29s
CI / Check spelling (push) Successful in 16s
CI / Linux (debian) (push) Successful in 9m35s
CI / Linux (arch) (push) Successful in 11m27s
CI / Linux (fedora) (push) Successful in 13m57s
CI / Linux (ubuntu) (push) Successful in 11m21s
- Update formatting for stub files
- Update docs

While original project, Profanity, provides valuable basis for this
fork, we are not affiliated with the upstream. This commit
is updating documentation to reflect accurate information.

The docs are going to be updated further once the website is created.

Reviewed-on: devs/profanity#5
Co-authored-by: Jabber Developer <jabber.developer@jabber.space>
Co-committed-by: Jabber Developer <jabber.developer@jabber.space>
2025-06-20 18:20:47 +00:00
Steffen Jaeckel
f67c76c032 Add make target my-prof.supp
This creates a "as personal as possible" Valgrind suppressions file.

Signed-off-by: Steffen Jaeckel <s@jaeckel.eu>
2025-01-28 16:43:13 +01:00
Michael Vetter
beeddda568 docs: Add more info to ignore revs 2024-06-24 10:24:40 +02:00
Michael Vetter
a8ba8af0de Add link to fugitive 2024-06-20 17:39:04 +02:00
Michael Vetter
7e0338b369 Add hint about git blame ignore to CONTRIBUTING.md 2024-06-20 17:36:54 +02:00
Michael Vetter
951df64a43 docs: Add info about different clang-format versions
Make this clear to new users. Since sjaeckel had reservations
on https://github.com/profanity-im/profanity/pull/1828.
2023-04-15 11:50:57 +02:00
Michael Vetter
54cf152130 contributing: add note about testing 2023-04-09 21:25:28 +02:00
Michael Vetter
a0d5c07a4c Fix headings in contributing.md 2023-03-31 14:14:52 +02:00
Michael Vetter
e1d45f05d3 Update to new mailing list
Maintained by https://github.com/StefanKropp
2023-03-01 15:25:41 +01:00
Michael Vetter
0bae298746 Update mailing list link 2023-01-10 10:24:44 +01:00
Michael Vetter
a0f8adc681 Add commit info to CONTRIBUTING.md 2022-10-10 08:05:11 +02:00
Michael Vetter
5d945a9629 contributing: add part about other git services 2022-09-06 20:01:51 +02:00
Michael Vetter
22064b3a28 contrib: request screenshot upon UI change 2022-05-02 09:59:08 +02:00
Michael Vetter
81b5230da5 Add hint about shortcuts 2022-03-02 17:24:32 +01:00
Michael Vetter
3defa56dcb Add build section to contributing.md 2022-02-23 13:14:58 +01:00
Michael Vetter
d15f905d83 Add unit tests section to CONTIBUTING.md
And rename a header.
2022-02-18 18:49:43 +01:00
Michael Vetter
a9c875e2ce Update the contributing guide
We need to define some rules to make sure people know what they need to
take care about.
To allow us to later still understand the changes in an optimal way and
make everyones work easier.
2022-02-17 14:02:45 +01:00
Michael Vetter
46c8245af9 Format new register code correctly 2021-10-13 21:32:44 +02:00
Michael Vetter
ce5bf721ca Mention make spell and doublecheck in contributing.md 2021-10-05 09:49:50 +02:00
Michael Vetter
02e7cc029c Add codespell info to contributing 2021-10-01 23:16:17 +02:00
Michael Vetter
e3797076d9 Add filetype check to pre hook example
We have `Language: Cpp` in .clang-format but recently it tried to format
my makefile anyways.
Let's add this to be sure.
2020-07-15 11:36:39 +02:00
William Wennerström
815a655768 Add highlighting 2020-07-07 10:11:31 +02:00
William Wennerström
d1bf922b1a Tip about pre-push hook in contribution guidelines 2020-07-07 10:06:47 +02:00
Michael Vetter
1bbb819dac Add pre-commit hook clang-format example
Regards https://github.com/profanity-im/profanity/issues/1396
2020-07-07 09:51:47 +02:00
Michael Vetter
66f9a6b721 Add clang-format file
People should run `make format` before doing a commit.
Fix https://github.com/profanity-im/profanity/issues/1396
2020-07-07 09:42:00 +02:00
Michael Vetter
2592216084 Add CONTRIBUTING.md 2019-07-23 09:25:17 +02:00