From 4312c000b14382dc572ec53d9cb101589bcafa79 Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Mon, 13 Jul 2026 16:27:20 +0000 Subject: [PATCH 1/2] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITIC?= =?UTF-8?q?AL]=20Fix=20unhandled=20NA=20coercion=20crash=20DoS=20risk=20in?= =?UTF-8?q?=20interactive=20prompts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .jules/sentinel.md | 8 ++++---- R/aFIPC.R | 9 ++++++--- tests/testthat/test-sentinel-validation.R | 19 +++++++++++++++++++ 3 files changed, 29 insertions(+), 7 deletions(-) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index a8207a4..f1d1cc6 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -1,4 +1,4 @@ -## 2024-07-12 - Fix missing parameter validations -**Vulnerability:** Unvalidated inputs passed to `if()` statements can cause process crashes (`condition has length > 1`) or unexpected coercion vulnerabilities. -**Learning:** In R, optional boolean parameters that default to `NULL` should be validated using explicit runtime type validation (e.g., `if (!is.null(flag) && (!is.logical(flag) || length(flag) != 1 || is.na(flag)))`). -**Prevention:** Always implement explicit runtime type validation for optional boolean parameters. +## 2024-07-13 - [Strict Input Validation on Interactive Prompts] +**Vulnerability:** Unhandled coercion NA exception due to weak integer input validation (`^[0-9]+$`). If a user inputs a massive string (e.g., `"99999999999"`) into `readline()`, `as.integer()` coerces it to `NA`, which then crashes the `if` checks, causing a Denial of Service. +**Learning:** R does not inherently limit input string length in `readline()` nor does `as.integer()` catch out-of-bound overflow gracefully without introducing an `NA`. Checking for merely `[0-9]+` allows oversized integers. +**Prevention:** Use strictly bounded exact-match regex like `^[12]$` when reading constrained inputs to ensure coercion functions like `as.integer()` never encounter out-of-bound, `NA`-producing values. diff --git a/R/aFIPC.R b/R/aFIPC.R index 4b8dad6..1c5670f 100644 --- a/R/aFIPC.R +++ b/R/aFIPC.R @@ -141,7 +141,8 @@ autoFIPC <- } for (attempt in seq_len(3)) { n <- readline(prompt = "Is it correct? (1: Yes 2: No) : ") - if (grepl("^[0-9]+$", n)) { + # Security: Strict input validation to prevent coercion crashes + if (grepl("^[12]$", n)) { return(as.integer(n)) } } @@ -171,7 +172,8 @@ autoFIPC <- readline( prompt = "Do you want to use default BILOG-MG priors for oldform Data? (1: Yes 2: No) : " ) - if (grepl("^[0-9]+$", n)) { + # Security: Strict input validation to prevent coercion crashes + if (grepl("^[12]$", n)) { return(as.integer(n)) } } @@ -390,7 +392,8 @@ autoFIPC <- readline( prompt = "Do you want to use default BILOG-MG priors for newform Data? (1: Yes 2: No) : " ) - if (grepl("^[0-9]+$", n)) { + # Security: Strict input validation to prevent coercion crashes + if (grepl("^[12]$", n)) { return(as.integer(n)) } } diff --git a/tests/testthat/test-sentinel-validation.R b/tests/testthat/test-sentinel-validation.R index 900f0ee..0111688 100644 --- a/tests/testthat/test-sentinel-validation.R +++ b/tests/testthat/test-sentinel-validation.R @@ -35,3 +35,22 @@ test_that("autoFIPC validates boolean flags for newformBILOGprior, oldformBILOGp "Security Error: confirmCommonItems must be a single non-NA logical value or NULL" ) }) + +test_that("autoFIPC validates interactive common item correctly with mocks", { + # Mock interactive to TRUE to test the readline loops + mockery::stub(aFIPC::autoFIPC, 'interactive', TRUE) + + # Stub readline to return an invalid option '3' 3 times, which should exhaust attempts + mockery::stub(aFIPC::autoFIPC, 'readline', mockery::mock('3', '3', '3')) + + expect_error( + aFIPC::autoFIPC( + newformXData = data.frame(A=1), + oldformYData = data.frame(A=2), + newformCommonItemNames = c('A'), + oldformCommonItemNames = c('A'), + confirmCommonItems = NULL + ), + "Too many invalid common item confirmation attempts" + ) +}) From fc68666f4f74274c9835d92c8a2302e462ffe1be Mon Sep 17 00:00:00 2001 From: seonghobae <8172694+seonghobae@users.noreply.github.com> Date: Mon, 13 Jul 2026 17:53:17 +0000 Subject: [PATCH 2/2] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITIC?= =?UTF-8?q?AL]=20Fix=20unhandled=20NA=20coercion=20crash=20DoS=20risk=20in?= =?UTF-8?q?=20interactive=20prompts?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .jules/sentinel.md | 5 +++++ tests/testthat/test-sentinel-validation.R | 2 ++ 2 files changed, 7 insertions(+) diff --git a/.jules/sentinel.md b/.jules/sentinel.md index f1d1cc6..d53fa1a 100644 --- a/.jules/sentinel.md +++ b/.jules/sentinel.md @@ -1,3 +1,8 @@ +## 2024-07-12 - Fix missing parameter validations +**Vulnerability:** Unvalidated inputs passed to `if()` statements can cause process crashes (`condition has length > 1`) or unexpected coercion vulnerabilities. +**Learning:** In R, optional boolean parameters that default to `NULL` should be validated using explicit runtime type validation (e.g., `if (!is.null(flag) && (!is.logical(flag) || length(flag) != 1 || is.na(flag)))`). +**Prevention:** Always implement explicit runtime type validation for optional boolean parameters. + ## 2024-07-13 - [Strict Input Validation on Interactive Prompts] **Vulnerability:** Unhandled coercion NA exception due to weak integer input validation (`^[0-9]+$`). If a user inputs a massive string (e.g., `"99999999999"`) into `readline()`, `as.integer()` coerces it to `NA`, which then crashes the `if` checks, causing a Denial of Service. **Learning:** R does not inherently limit input string length in `readline()` nor does `as.integer()` catch out-of-bound overflow gracefully without introducing an `NA`. Checking for merely `[0-9]+` allows oversized integers. diff --git a/tests/testthat/test-sentinel-validation.R b/tests/testthat/test-sentinel-validation.R index 0111688..74876d5 100644 --- a/tests/testthat/test-sentinel-validation.R +++ b/tests/testthat/test-sentinel-validation.R @@ -1,3 +1,5 @@ +library(mockery) + test_that("autoFIPC validates boolean flags for newformBILOGprior, oldformBILOGprior, and confirmCommonItems", { # newformBILOGprior expect_error(