Skip to content

fix(orb): bound relay retry fan-out#1400

Open
JSONbored wants to merge 1 commit into
mainfrom
codex/propose-fix-for-orb-relay-dos-vulnerability
Open

fix(orb): bound relay retry fan-out#1400
JSONbored wants to merge 1 commit into
mainfrom
codex/propose-fix-for-orb-relay-dos-vulnerability

Conversation

@JSONbored

@JSONbored JSONbored commented Jun 25, 2026

Copy link
Copy Markdown
Owner

Motivation

  • Prevent unbounded memory / concurrency blowups in the Orb relay retry path by avoiding a full-table fan-out of pending failures.
  • Ensure a misbehaving or attacker-driven burst of webhook traffic cannot exhaust Worker memory or create massive simultaneous outbound/D1 operations.

Description

  • Limit each retry sweep to an ordered page by adding RELAY_RETRY_BATCH_SIZE and applying ORDER BY created_at, delivery_id LIMIT ? to the select in src/orb/relay.ts.
  • Bound in-flight work by introducing RELAY_RETRY_CONCURRENCY and replacing the unbounded Promise.all(results.map(...)) with chunked Promise.all loops that process slices of results of size RELAY_RETRY_CONCURRENCY.
  • Preserve existing retry semantics: successful or skipped forwards delete the row, failures increment attempts and rows are still pruned by TTL/attempt budget.
  • Add a regression integration test PAGES retry work and bounds concurrent forwards in test/integration/orb-relay.test.ts that seeds more failures than one batch and asserts only one page is attempted with concurrency capped.

Testing

  • Ran npx vitest run test/integration/orb-relay.test.ts and the integration suite for orb-relay passed (27 tests passed).
  • Ran npm run typecheck which completed successfully and git diff --check which reported no issues.
  • Attempted coverage with npm run test:coverage -- --run test/integration/orb-relay.test.ts but it failed due to a local dependency remapping error (ast-v8-to-istanbul receiving an incompatible js-tokens version), not related to the logic change.
  • Attempted npm audit --audit-level=moderate but it could not complete in this environment due to a registry/audit endpoint error (403).

Codex Task

@dosubot dosubot Bot added the size:M This PR changes 30-99 lines, ignoring generated files. label Jun 25, 2026
@superagent-security

superagent-security Bot commented Jun 25, 2026

Copy link
Copy Markdown

Superagent didn't find any vulnerabilities or security issues in this PR.

@codecov

codecov Bot commented Jun 25, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 95.34%. Comparing base (6138b9e) to head (df34281).
✅ All tests successful. No failed tests found.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #1400   +/-   ##
=======================================
  Coverage   95.33%   95.34%           
=======================================
  Files         192      192           
  Lines       20750    20754    +4     
  Branches     7500     7500           
=======================================
+ Hits        19783    19787    +4     
  Misses        383      383           
  Partials      584      584
Files with missing lines Coverage Δ
src/orb/relay.ts 100.00% <100.00%> (ø)
🚀 New features to boost your workflow:
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@JSONbored JSONbored self-assigned this Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@JSONbored JSONbored

Labels

aardvark codex size:M This PR changes 30-99 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JSONbored