[HIGH] Unbounded Retry-After duration DoS vulnerability — code accepts any valid u64

[ironclaw-ci]

[HIGH:75] Issue Found by Staging CI Review

Severity: HIGH
Confidence: 75/100
PR comment: #1285 (comment)

Description

Unbounded Retry-After duration DoS vulnerability — code accepts any valid u64 from Retry-After header without validation, allowing u64::MAX to freeze application indefinitely in tokio::time::sleep()

---

Auto-created by staging-ci Claude Code review

[ilblackdragon]

Regression tests added (4 tests across 3 files)

All currently FAILING — confirms the DoS vector is still present.

1. src/llm/nearai_chat.rs — delay-seconds

const MAX_SANE_RETRY_AFTER_SECS: u64 = 300; // 5 minutes

#[test]
fn test_retry_after_absurdly_large_value_must_be_capped() {
    let duration = parse_retry_after_for_test("999999999");
    let max_allowed = std::time::Duration::from_secs(MAX_SANE_RETRY_AFTER_SECS);
    assert!(
        duration.unwrap() <= max_allowed,
        "Bug #1287: Retry-After: 999999999 produced {:?} which exceeds the safe maximum of {:?}. \
         The parser must clamp unbounded values to prevent DoS.",
        duration.unwrap(),
        max_allowed,
    );
}

2. src/llm/nearai_chat.rs — HTTP-date far future

#[test]
fn test_retry_after_http_date_far_future_must_be_capped() {
    let far_future = chrono::Utc::now() + chrono::Duration::days(10);
    let header = far_future.format("%a, %d %b %Y %H:%M:%S GMT").to_string();
    let duration = parse_retry_after_for_test(&header);
    let max_allowed = std::time::Duration::from_secs(MAX_SANE_RETRY_AFTER_SECS);
    assert!(
        duration.unwrap() <= max_allowed,
        "Bug #1287: HTTP-date Retry-After 10 days in the future produced {:?}, \
         exceeding the safe maximum of {:?}.",
        duration.unwrap(),
        max_allowed,
    );
}

3. src/llm/anthropic_oauth.rs — same pattern

#[test]
fn test_retry_after_absurdly_large_value_must_be_capped() {
    let duration = parse_retry_after_anthropic_for_test("999999999");
    let max_allowed = std::time::Duration::from_secs(MAX_SANE_RETRY_AFTER_SECS);
    assert!(
        duration.unwrap() <= max_allowed,
        "Bug #1287: Retry-After: 999999999 produced {:?} which exceeds the safe maximum of {:?}. \
         The parser must clamp unbounded values to prevent DoS.",
        duration.unwrap(),
        max_allowed,
    );
}

4. src/workspace/embeddings.rs — same pattern

#[test]
fn test_retry_after_absurdly_large_value_must_be_capped() {
    let duration = parse_retry_after_embeddings_for_test("999999999");
    let max_allowed = std::time::Duration::from_secs(MAX_SANE_RETRY_AFTER_SECS);
    assert!(
        duration.unwrap() <= max_allowed,
        "Bug #1287: Retry-After: 999999999 produced {:?} which exceeds the safe maximum of {:?}. \
         The parser must clamp unbounded values to prevent DoS.",
        duration.unwrap(),
        max_allowed,
    );
}

Positive tests (PASSING)

test_retry_after_within_sane_range_preserved in nearai_chat and anthropic_oauth confirms that values ≤300s are preserved unchanged.

DRY note (#1288)

All 3 providers duplicate the same parsing logic. The fix should extract a shared parse_retry_after(header_value) -> Duration that clamps to MAX_RETRY_AFTER.