blob-decoder parses attacker-controllable bytes at a single entry point
(identify), which fans out to every decoder. The invariants are:
#![forbid(unsafe_code)]— no unsafe anywhere.- Panic-free on any input:
clippy::unwrap_usedandexpect_usedare denied in library code, and acargo-fuzztarget asserts the no-panic invariant. - Bounded memory: every decompression (
flate2,snap) is size-capped and the recursive unwrap is depth-capped, so a decompression bomb or an infinitely- nested wrapper is bounded, never fatal. The caps are configurable viaLimits. - Fail-graceful: a failed or coincidental decode degrades to a lower-confidence or absent reading; it never produces a confident-but-wrong verdict.
Please report suspected vulnerabilities privately via a GitHub security advisory on github.com/SecurityRonin/blob-decoder, or by email to security@securityronin.com. We aim to acknowledge within a few business days.