Skip to content

Check for expected ZID when opening scouted links#2579

Open
oteffahi wants to merge 3 commits intoeclipse-zenoh:mainfrom
ZettaScaleLabs:feat/handshake-expected-zid
Open

Check for expected ZID when opening scouted links#2579
oteffahi wants to merge 3 commits intoeclipse-zenoh:mainfrom
ZettaScaleLabs:feat/handshake-expected-zid

Conversation

@oteffahi
Copy link
Copy Markdown
Contributor

@oteffahi oteffahi commented Apr 20, 2026
edited
Loading

Description

This PR makes scouted connections validate that the peer ZID matches what was advertised in scouting.
It can also be leveraged to improve multilink for client mode by making sure all endpoints belong to the same ZID (to be implemented as part of #2320)

Why is this change needed?

It fixes possible attacks described in #2151

Related Issues

Fixes #2151

🏷️ Label-Based Checklist

Based on the labels applied to this PR, please complete these additional requirements:

Labels: bug

🐛 Bug Fix Requirements

Since this PR is labeled as a bug fix, please ensure:

  • Root cause documented - Explain what caused the bug in the PR description
  • Reproduction test added - Test that fails on main branch without the fix
  • Test passes with fix - The reproduction test passes with your changes
  • Regression prevention - Test will catch if this bug reoccurs in the future
  • Fix is minimal - Changes are focused only on fixing the bug
  • Related bugs checked - Verified no similar bugs exist in related code

Why this matters: Bugs without tests often reoccur.

Instructions:

  1. Check off items as you complete them (change - [ ] to - [x])
  2. The PR checklist CI will verify these are completed

This checklist updates automatically when labels change, but preserves your checked boxes.

@oteffahi oteffahi requested review from evshary and fuzzypixelz April 20, 2026 14:51
@oteffahi oteffahi added the enhancement Existing things could work better label Apr 20, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 20, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 96.42857% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 74.69%. Comparing base (7b54cab) to head (2c180fb).
⚠️ Report is 10 commits behind head on main.
✅ All tests successful. No failed tests found.

Files with missing lines Patch % Lines
zenoh/src/net/runtime/orchestrator.rs 0.00% 1 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #2579      +/-   ##
==========================================
- Coverage   74.85%   74.69%   -0.17%     
==========================================
  Files         399      399              
  Lines       59401    59564     +163     
==========================================
+ Hits        44467    44489      +22     
- Misses      14934    15075     +141

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

evshary
evshary approved these changes Apr 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@evshary evshary left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, but maybe you want to retrigger the CI. Something might go wrong in the CI server.

@oteffahi oteffahi added bug Something isn't working and removed enhancement Existing things could work better labels Apr 21, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fuzzypixelz fuzzypixelz Awaiting requested review from fuzzypixelz

1 more reviewer

@evshary evshary evshary approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Locators in HELLO message are assumed to belong to the same ZID

2 participants

@oteffahi @evshary