Skip to content

Prevent posture checks field update from nmui#4070

Merged
abhishek9686 merged 2 commits into
release-v1.6.0from
fix/4062
Jun 24, 2026
Merged

Prevent posture checks field update from nmui#4070
abhishek9686 merged 2 commits into
release-v1.6.0from
fix/4062

Conversation

@VishalDalwadi

Copy link
Copy Markdown
Collaborator

Describe your changes

Provide Issue ticket number if applicable/not in title

Provide testing steps

Checklist before requesting a review

  • My changes affect only 10 files or less.
  • I have performed a self-review of my code and tested it.
  • If it is a new feature, I have added thorough tests, my code is <= 1450 lines.
  • If it is a bugfix, my code is <= 200 lines.
  • My functions are <= 80 lines.
  • I have had my code reviewed by a peer.
  • My unit tests pass locally.
  • Netmaker is awesome.

@VishalDalwadi VishalDalwadi marked this pull request as ready for review June 24, 2026 09:42
@tenki-reviewer

tenki-reviewer Bot commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Review Complete

Files Reviewed: 1
Findings: 2

By Severity:

  • 🟡 Medium: 2

The PR adds new PostureCheck fields (violations, severity level, evaluation timestamp/ID) to the Node model's Fill method with two data-model issues: the zero-value integer enum SeverityUnknown is conflated with 'unset', and the violations slice is aliased rather than deep-copied.

Files Reviewed (1 files)
models/node.go

@tenki-reviewer tenki-reviewer Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Risk: 🟡 Medium (42/100) — 2 medium findings · 12 LOC across 1 file


PR #4070 Review Summary

This single-file PR (models/node.go) extends the Fill method on the Node struct to merge three new PostureCheck-related fields when in-network node updates are received.

Key Findings

  • finding-001: The guard newNode.PostureCheckViolationSeverityLevel == 0 at line 266 treats the iota enum member SeverityUnknown (value 0) as 'unset', conflating a legitimate domain value with the absent/initialized state. Future callers that intentionally set SeverityUnknown would have their value silently overwritten.
  • finding-002: At line 270, the slice assignment shares the backing array between currentNode and newNode — any subsequent append, re-slice, or sort on either node's PostureChecksViolations will mutate the other's data, creating an alias bug.

Assessment

Both issues are medium severity with moderate fix complexity. Neither is a crash or security vulnerability, but they create latent data-integrity bugs that could manifest as stale or incorrect posture-check state propagation in multi-node deployments.

Comment thread models/node.go
Comment thread models/node.go
@abhishek9686 abhishek9686 merged commit ec41055 into release-v1.6.0 Jun 24, 2026
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants