mirror of
https://git.jabber.space/devs/cproof.git
synced 2026-07-18 23:16:22 +00:00
A flat-file alternative to the SQLite chatlog backend with runtime
switching, full migration tooling, integrity verification, and a
synthetic load harness. SQLite remains the default; both backends share
one dispatch layer (db_backend_t vtable) so callers don't change.
Storage layout
- Per-contact append-only `flatlog/<account>/<contact>/history.log`
under XDG_DATA_HOME, one line per message
- Single-line file header with embedded format-version marker
(FLATFILE_FORMAT_VERSION); reader warns on missing or mismatched
marker, writer and checker stay in sync via preprocessor
stringification
- Deterministic key=value metadata (`id`, `aid`, `corrects`, `to`,
`to_res`, `read`) plus escaped body \u2014 `\|`, `\]`, `\\`, `\n`, `\r`
literals prevent log injection
- Sparse byte-offset index (FF_INDEX_STEP=500) per contact for
O(log n) time-range lookups; rebuilt on inode / size / mtime
change, extended in-place when the file just grew
- Per-contact GHashTable caches for archive_id presence and
stanza_id \u2192 from_jid mapping (O(1) MAM dedup, O(1) LMC sender
validation)
Hardening
- Path-traversal protection: JID directory name normalisation
(`@` \u2192 `_at_`, slashes and `..` rejected at construction); every
per-contact path is anchored under the account's flatlog/
directory and validated before open
- Symlink-attack protection: every fopen / open uses O_NOFOLLOW; on
ELOOP the operation aborts with an error rather than following
- Filesystem permissions: log files created with mode 0600,
directories with mode 0700; both enforced at creation, verified
on each open and reported on drift by `/history verify`
- Atomic crash-safe export: write to a temp file via mkstemp (mode
0600, random suffix, no name collisions between concurrent
exports), fsync, then rename \u2014 partial state never replaces the
live file
- Concurrency: advisory flock(LOCK_EX) held for the duration of
every write, including append from live messages and full rewrite
from export, so two profanity processes can't interleave bytes
on the same log
- DoS / abuse guards:
* FF_MAX_LINE_LEN = 10 MB \u2014 lines longer than this are rejected
at read with a warning; the parser will not allocate
unbounded memory for a single record
* FF_MAX_LMC_DEPTH = 100 \u2014 `corrects:` chain walk stops at this
depth and emits a warning, preventing a malicious correction
cycle from spinning the apply pass
* FF_VERSION_SCAN_MAX = 16 \u2014 header version probe never reads
past 16 leading comment lines, even on garbage input
* Empty / inverted byte-range early-return in page-up read path
so a malformed time filter cannot cause an unbounded scan
* Zero-entry index guard so a file whose every line failed to
parse cannot cause a NULL deref on later page-up
- LMC sender validation: an incoming correction whose sender does
not match the original message's sender is rejected at write
time and surfaced via cons_show_error; a cycle in the apply pass
is broken via a visited-set
- jid_create_from_bare_and_resource treats NULL, empty string, and
the literal "(null)" as no resource and returns a bare jid;
similar normalisation for barejid eliminates the legacy
"user@host/(null)" artefact that leaked into stored fulljids
whenever g_strdup_printf("%s", NULL) ran inside create_fulljid
Commands
- `/history switch sqlite|flatfile` \u2014 runtime backend swap, closes
the old backend and opens the new one without reconnecting
- `/history export [<jid>]` \u2014 SQLite -> flat-file, merging with any
existing flatlog (dedup keyed on a SHA-256 hash mixing stanza_id,
timestamp, from_jid, body \u2014 robust against id reuse by older
clients)
- `/history import [<jid>]` \u2014 flat-file -> SQLite, same merge
semantics, runs inside a single SQLite transaction with rollback
on per-contact failure
- `/history verify [<jid>]` \u2014 integrity check; emits a structured
list of issues (ERROR / WARNING / INFO) per file:
* file-level: missing log, wrong permissions (\u2260 0600), UTF-8
BOM present, CRLF line endings, empty file
* line-level: invalid UTF-8 (with byte offset), embedded
control characters, unparsable lines, timestamps out of
order, duplicate `id:` and `aid:` (tracked separately so a
stanza/archive id collision isn't double-reported)
* cross-line: broken `corrects:` references whose target id is
not present in the file
- `/history backend` \u2014 show currently active backend
- Active backend indicator `[sqlite]` / `[flatfile]` in the status
bar next to the JID
- Roster-JID autocomplete for verify / export / import
- export and import open a SQLite handle on demand when the
flatfile backend is currently active, so migration works
regardless of which backend is live
Tests
- Unit: database_export (parser round-trip, escape/unescape, dedup
key stability, JID normalisation), database_stress (14 cases
exercising rapid writes, large messages, deep LMC chains, MAM
dedup, concurrent contacts)
- Functional: history persistence across reconnects, export /
import round-trip with content equality, MUC migration,
timestamp normalisation across timezones
- Bench harness P1\u2013P5 (synthetic load: bulk insert, time-range
read, page-up scroll, MAM ingest, mixed workload) and failure
modes F1\u2013F17 (page-up cursor and forward-iteration symmetry,
oversized lines, MAM dedup, LMC depth and cycles, BOM/CRLF,
missing log, empty file, mtime+inode flip, broken corrects, etc.)
- All bench tests integrate with the existing make targets and
emit CSV rows for baseline comparison
Author: jabber.developer2 <jabber.developer2@jabber.space>
Reviewed-by: jabber.developer <jabber.developer@jabber.space>
361 lines
13 KiB
C
361 lines
13 KiB
C
// SPDX-License-Identifier: GPL-3.0-or-later
|
|
//
|
|
// This file is part of CProof.
|
|
// See LICENSE for the full GPLv3 text and the special OpenSSL linking exception.
|
|
|
|
/*
|
|
* database_flatfile_verify.c
|
|
* vim: expandtab:ts=4:sts=4:sw=4
|
|
*
|
|
* Flat-file backend: integrity verification (/history verify).
|
|
*
|
|
* High-level flow (see ff_verify_integrity):
|
|
* 1. Resolve target contact directories — either a single contact (when
|
|
* contact_barejid != NULL) or every contact directory under
|
|
* flatlog/<account>/.
|
|
* 2. For each contact's history.log:
|
|
* - Check file permissions (warn if not 0600).
|
|
* - First pass: line-by-line UTF-8 / control-char / parser /
|
|
* duplicate-id / timestamp-ordering checks. Records every
|
|
* stanza-id and archive-id seen so the second pass can resolve
|
|
* LMC references. stanza-id and archive-id are tracked in
|
|
* *separate* hash tables — duplicate detection is reported
|
|
* per id-kind to avoid spurious cross-kind warnings.
|
|
* - Second pass: re-read the file and verify each `corrects:` link
|
|
* points at a stanza-id that was seen in pass 1.
|
|
* 3. Aggregate every issue into a GSList<integrity_issue_t> and return
|
|
* it to the caller, ready for /history verify rendering.
|
|
*
|
|
* The file is split into small helpers so each pass can be understood in
|
|
* isolation; ff_verify_integrity itself is just orchestration.
|
|
*/
|
|
|
|
#include "config.h"
|
|
|
|
#include <sys/stat.h>
|
|
#include <glib.h>
|
|
#include <glib/gstdio.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#include "log.h"
|
|
#include "config/files.h"
|
|
#include "database_flatfile.h"
|
|
|
|
// =========================================================================
|
|
// Issue construction
|
|
// =========================================================================
|
|
|
|
static integrity_issue_t*
|
|
_issue_new(integrity_level_t level, const char* file, int line, char* message)
|
|
{
|
|
integrity_issue_t* issue = g_new0(integrity_issue_t, 1);
|
|
issue->level = level;
|
|
issue->file = g_strdup(file ? file : "");
|
|
issue->line = line;
|
|
issue->message = message; // takes ownership of the (g_strdup'd) message
|
|
return issue;
|
|
}
|
|
|
|
// =========================================================================
|
|
// Contact discovery
|
|
// =========================================================================
|
|
|
|
// Build the list of contact directories to verify. If contact_barejid is
|
|
// supplied, the list is either a singleton or empty (and an INFO issue is
|
|
// appended explaining no logs exist for that contact). Otherwise, every
|
|
// subdirectory of flatlog/<account>/ is enumerated.
|
|
static GSList*
|
|
_collect_contact_dirs(const gchar* const contact_barejid, GSList** issues)
|
|
{
|
|
GSList* contact_dirs = NULL;
|
|
|
|
if (contact_barejid) {
|
|
auto_gchar gchar* cdir = ff_get_contact_dir(contact_barejid);
|
|
if (cdir && g_file_test(cdir, G_FILE_TEST_IS_DIR)) {
|
|
contact_dirs = g_slist_prepend(contact_dirs, g_strdup(cdir));
|
|
} else {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_INFO, contact_barejid, 0,
|
|
g_strdup("No log files found for this contact")));
|
|
}
|
|
return contact_dirs;
|
|
}
|
|
|
|
auto_gchar gchar* data_path = files_get_data_path(DIR_FLATLOG);
|
|
auto_gchar gchar* my_dir = ff_jid_to_dir(g_flatfile_account_jid);
|
|
auto_gchar gchar* base_dir = g_strdup_printf("%s/%s", data_path, my_dir);
|
|
|
|
GDir* dir = g_dir_open(base_dir, 0, NULL);
|
|
if (!dir)
|
|
return NULL;
|
|
|
|
const gchar* dname;
|
|
while ((dname = g_dir_read_name(dir)) != NULL) {
|
|
char* full = g_strdup_printf("%s/%s", base_dir, dname);
|
|
if (g_file_test(full, G_FILE_TEST_IS_DIR)) {
|
|
contact_dirs = g_slist_prepend(contact_dirs, full);
|
|
} else {
|
|
g_free(full);
|
|
}
|
|
}
|
|
g_dir_close(dir);
|
|
return contact_dirs;
|
|
}
|
|
|
|
// =========================================================================
|
|
// Permission check
|
|
// =========================================================================
|
|
|
|
static void
|
|
_check_permissions(const char* filepath, const char* basename, GSList** issues)
|
|
{
|
|
struct stat st;
|
|
if (g_stat(filepath, &st) != 0)
|
|
return;
|
|
if ((st.st_mode & 0777) == (S_IRUSR | S_IWUSR))
|
|
return;
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_WARNING, basename, 0,
|
|
g_strdup_printf("File permissions are %o, expected 600 (sensitive data)",
|
|
st.st_mode & 0777)));
|
|
}
|
|
|
|
// =========================================================================
|
|
// First pass: per-line content checks + id collection
|
|
// =========================================================================
|
|
//
|
|
// For every non-empty, non-comment line:
|
|
// - validate UTF-8
|
|
// - flag control characters
|
|
// - try to parse via ff_parse_line(); if that fails, record the lineno
|
|
// - check timestamp monotonicity
|
|
// - flag duplicate stanza-id and duplicate archive-id (separate tables)
|
|
// - record every stanza-id encountered for LMC pass 2
|
|
//
|
|
// Also detects: BOM (informational), CRLF line endings (warning), empty
|
|
// file (informational).
|
|
|
|
static void
|
|
_first_pass(FILE* fp, const char* basename,
|
|
GHashTable* seen_stanza_ids, GHashTable* seen_archive_ids,
|
|
GHashTable* all_stanza_ids, GSList** issues)
|
|
{
|
|
if (ff_skip_bom(fp)) {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_INFO, basename, 0,
|
|
g_strdup("File has UTF-8 BOM — harmless but unnecessary")));
|
|
}
|
|
|
|
char* buf = NULL;
|
|
int lineno = 0;
|
|
GDateTime* prev_ts = NULL;
|
|
gboolean has_crlf = FALSE;
|
|
gboolean is_empty = TRUE;
|
|
|
|
while ((buf = ff_readline(fp, NULL)) != NULL) {
|
|
lineno++;
|
|
gsize len = strlen(buf);
|
|
|
|
if (len > 0 && buf[len - 1] == '\r') {
|
|
has_crlf = TRUE;
|
|
buf[--len] = '\0';
|
|
}
|
|
|
|
if (len == 0 || buf[0] == '#') {
|
|
free(buf);
|
|
continue;
|
|
}
|
|
is_empty = FALSE;
|
|
|
|
const gchar* end;
|
|
if (!g_utf8_validate(buf, -1, &end)) {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_ERROR, basename, lineno,
|
|
g_strdup_printf("Invalid UTF-8 at byte offset %ld", (long)(end - buf))));
|
|
free(buf);
|
|
continue;
|
|
}
|
|
|
|
for (gsize i = 0; i < len; i++) {
|
|
unsigned char ch = (unsigned char)buf[i];
|
|
if (ch < 0x20 && ch != '\t') {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_WARNING, basename, lineno,
|
|
g_strdup_printf("Contains control character 0x%02x", ch)));
|
|
break;
|
|
}
|
|
}
|
|
|
|
ff_parsed_line_t* pl = ff_parse_line(buf);
|
|
if (!pl) {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_ERROR, basename, lineno,
|
|
g_strdup("Unparsable line")));
|
|
free(buf);
|
|
continue;
|
|
}
|
|
free(buf);
|
|
|
|
if (prev_ts && g_date_time_compare(pl->timestamp, prev_ts) < 0) {
|
|
auto_gchar gchar* ts_cur = g_date_time_format_iso8601(pl->timestamp);
|
|
auto_gchar gchar* ts_prev = g_date_time_format_iso8601(prev_ts);
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_WARNING, basename, lineno,
|
|
g_strdup_printf("Timestamp out of order (%s after %s)", ts_cur, ts_prev)));
|
|
}
|
|
if (prev_ts)
|
|
g_date_time_unref(prev_ts);
|
|
prev_ts = g_date_time_ref(pl->timestamp);
|
|
|
|
if (pl->stanza_id && pl->stanza_id[0] != '\0') {
|
|
if (g_hash_table_contains(seen_stanza_ids, pl->stanza_id)) {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_WARNING, basename, lineno,
|
|
g_strdup_printf("Duplicate stanza-id \"%s\"", pl->stanza_id)));
|
|
} else {
|
|
g_hash_table_insert(seen_stanza_ids, g_strdup(pl->stanza_id), GINT_TO_POINTER(lineno));
|
|
}
|
|
g_hash_table_insert(all_stanza_ids, g_strdup(pl->stanza_id), GINT_TO_POINTER(lineno));
|
|
}
|
|
if (pl->archive_id && pl->archive_id[0] != '\0') {
|
|
if (g_hash_table_contains(seen_archive_ids, pl->archive_id)) {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_WARNING, basename, lineno,
|
|
g_strdup_printf("Duplicate archive-id \"%s\"", pl->archive_id)));
|
|
} else {
|
|
g_hash_table_insert(seen_archive_ids, g_strdup(pl->archive_id), GINT_TO_POINTER(lineno));
|
|
}
|
|
}
|
|
|
|
ff_parsed_line_free(pl);
|
|
}
|
|
|
|
if (prev_ts)
|
|
g_date_time_unref(prev_ts);
|
|
|
|
if (has_crlf) {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_WARNING, basename, 0,
|
|
g_strdup("File uses Windows line endings (CRLF) — consider converting to LF")));
|
|
}
|
|
if (is_empty) {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_INFO, basename, 0,
|
|
g_strdup("File is empty (no message lines)")));
|
|
}
|
|
}
|
|
|
|
// =========================================================================
|
|
// Second pass: LMC reference resolution
|
|
// =========================================================================
|
|
//
|
|
// Walks the file again, and for every line that carries a `corrects:` link,
|
|
// checks that the referenced stanza-id was seen in pass 1. Broken references
|
|
// surface as INTEGRITY_ERROR.
|
|
|
|
static void
|
|
_lmc_pass(FILE* fp, const char* basename, GHashTable* all_stanza_ids, GSList** issues)
|
|
{
|
|
ff_skip_bom(fp);
|
|
|
|
char* buf = NULL;
|
|
int lineno = 0;
|
|
|
|
while ((buf = ff_readline(fp, NULL)) != NULL) {
|
|
lineno++;
|
|
gsize len = strlen(buf);
|
|
if (len > 0 && buf[len - 1] == '\r')
|
|
buf[--len] = '\0';
|
|
if (len == 0 || buf[0] == '#') {
|
|
free(buf);
|
|
continue;
|
|
}
|
|
|
|
ff_parsed_line_t* pl = ff_parse_line(buf);
|
|
free(buf);
|
|
if (!pl)
|
|
continue;
|
|
|
|
if (pl->replace_id && pl->replace_id[0] != '\0'
|
|
&& !g_hash_table_contains(all_stanza_ids, pl->replace_id)) {
|
|
*issues = g_slist_prepend(*issues,
|
|
_issue_new(INTEGRITY_ERROR, basename, lineno,
|
|
g_strdup_printf("Broken correction reference: corrects:%s not found",
|
|
pl->replace_id)));
|
|
}
|
|
ff_parsed_line_free(pl);
|
|
}
|
|
}
|
|
|
|
// =========================================================================
|
|
// Per-contact verification
|
|
// =========================================================================
|
|
|
|
static void
|
|
_verify_contact_dir(const char* cdir_path, GSList** issues)
|
|
{
|
|
auto_gchar gchar* filepath = g_strdup_printf("%s/history.log", cdir_path);
|
|
if (!g_file_test(filepath, G_FILE_TEST_EXISTS)) {
|
|
log_debug("flatfile verify: skipping %s (no history.log)", cdir_path);
|
|
return;
|
|
}
|
|
|
|
const char* basename = "history.log";
|
|
|
|
_check_permissions(filepath, basename, issues);
|
|
|
|
FILE* fp = fopen(filepath, "r");
|
|
if (!fp) {
|
|
log_warning("flatfile verify: cannot open %s for reading", filepath);
|
|
return;
|
|
}
|
|
|
|
// Separate tables by id-kind: a stanza-id and an archive-id can legitimately
|
|
// share the same string without that being a duplicate.
|
|
GHashTable* seen_stanza_ids = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, NULL);
|
|
GHashTable* seen_archive_ids = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, NULL);
|
|
GHashTable* all_stanza_ids = g_hash_table_new_full(g_str_hash, g_str_equal, g_free, NULL);
|
|
|
|
_first_pass(fp, basename, seen_stanza_ids, seen_archive_ids, all_stanza_ids, issues);
|
|
fclose(fp);
|
|
|
|
// Second pass: LMC references
|
|
fp = fopen(filepath, "r");
|
|
if (fp) {
|
|
_lmc_pass(fp, basename, all_stanza_ids, issues);
|
|
fclose(fp);
|
|
}
|
|
|
|
g_hash_table_destroy(seen_stanza_ids);
|
|
g_hash_table_destroy(seen_archive_ids);
|
|
g_hash_table_destroy(all_stanza_ids);
|
|
}
|
|
|
|
// =========================================================================
|
|
// Public entry point
|
|
// =========================================================================
|
|
|
|
GSList*
|
|
ff_verify_integrity(const gchar* const contact_barejid)
|
|
{
|
|
GSList* issues = NULL;
|
|
|
|
if (!g_flatfile_account_jid) {
|
|
issues = g_slist_prepend(issues,
|
|
_issue_new(INTEGRITY_ERROR, "N/A", 0,
|
|
g_strdup("Flat-file backend not initialized")));
|
|
return issues;
|
|
}
|
|
|
|
GSList* contact_dirs = _collect_contact_dirs(contact_barejid, &issues);
|
|
|
|
for (GSList* cd = contact_dirs; cd; cd = cd->next) {
|
|
_verify_contact_dir((const char*)cd->data, &issues);
|
|
}
|
|
|
|
g_slist_free_full(contact_dirs, g_free);
|
|
return g_slist_reverse(issues);
|
|
}
|