ev.HMAC[:12] panics when HMAC is shorter than 12 bytes. Add len guards before truncation so the log line never panics — the mismatch is still reported, just with whatever prefix is available. Co-authored-by: Molecule AI Infra-SRE <infra-sre@agents.moleculesai.app> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
molecule-ai[bot]
GitHub
parent
9fe593eed0
commit
012f64e488
@ -283,9 +283,18 @@ func verifyAuditChain(events []auditEventRow) *bool {
|
||||
// Recompute the expected HMAC.
|
||||
expected := computeAuditHMAC(key, ev)
|
||||
if !hmac.Equal([]byte(ev.HMAC), []byte(expected)) {
|
||||
// Truncate for logging only after confirming the slice is safe.
|
||||
storedPrefix := ev.HMAC
|
||||
computedPrefix := expected
|
||||
if len(storedPrefix) > 12 {
|
||||
storedPrefix = storedPrefix[:12]
|
||||
}
|
||||
if len(computedPrefix) > 12 {
|
||||
computedPrefix = computedPrefix[:12]
|
||||
}
|
||||
log.Printf(
|
||||
"audit: HMAC mismatch at event %s (agent=%s): stored=%q computed=%q",
|
||||
ev.ID, ev.AgentID, ev.HMAC[:12], expected[:12],
|
||||
ev.ID, ev.AgentID, storedPrefix, computedPrefix,
|
||||
)
|
||||
f := false
|
||||
return &f
|
||||
|
||||
Loading…
Reference in New Issue
Block a user