Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
| signature.CopyTo(authenticationResponse.AsSpan(clientScramble.Length)); | ||
|
|
||
| // "password hash" for parsec is the extended salt followed by the public key | ||
| passwordHash = [(byte) 'P', (byte) iterationCount, .. salt, .. publicKey]; |
There was a problem hiding this comment.
Iteration count byte truncation corrupts password hash
High Severity
(byte) iterationCount always evaluates to 0 because iterationCount is 1024 << extendedSalt[1], producing values 1024, 2048, 4096, or 8192 — all multiples of 256. The second byte of passwordHash will always be 0 regardless of the actual iteration exponent. The intent is to store the original exponent byte (extendedSalt[1]), not the computed iterationCount cast to byte.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit dfb6ad7. Configure here.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
There are 2 total unresolved issues (including 1 from previous review).
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 5ef8f81. Configure here.
1 participant
Note
High Risk
High risk because it changes connection handshake/authentication flows (including
caching_sha2_password, fingerprint validation, and newparsecplugin) and adds new protocol/parameter behaviors (streaming prepared-statement data, VECTOR type) that affect core connectivity and data serialization.Overview
Adds .NET 10 support across CI/build tooling (updates GitHub Actions triggers, runners,
setup-dotnet, target frameworks, and dependency versions) and replaces the legacy.slnwith a new.slnxsolution.Extends the connector with new capabilities: support for
VECTORcolumns (type mapping, protocol enum, reader, parameter/bulk-copy float serialization) and improved stored-procedure out-parameter handling for GUID formats.Reworks parts of the protocol/auth pipeline: introduces
IAuthenticationPlugin3to return both auth response and password hash, addsparsecauthentication plugin, addscaching_sha2_passwordhandshake handling, and strengthens SSL fingerprint validation based on stored password hashes; also adds streamingCOM_STMT_SEND_LONG_DATAprologue for prepared statements withStreamparameters.Adds configurable OpenTelemetry tracing options via
SingleStoreDataSourceBuilder.ConfigureTracing, plus several robustness tweaks (payload-cache trimming on pool return, connection state set toBrokenon session failure, expanded proxy detection, and XA rollback edge-case handling).Reviewed by Cursor Bugbot for commit a007803. Bugbot is set up for automated code reviews on this repo. Configure here.