Skip to content

test: handle non-deterministic AES-256-CBC decryption in crypto test #26383

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
keithwillcode merged 1 commit into from
Jan 2, 2026
Merged

test: handle non-deterministic AES-256-CBC decryption in crypto test #26383

keithwillcode merged 1 commit into from
Jan 2, 2026

Conversation

@keithwillcode
Copy link
Contributor

@keithwillcode keithwillcode commented Jan 2, 2026

What does this PR do?

Fixes flaky unit test failures that started appearing after the Vitest 4.0 upgrade (PR #26351). The symmetricDecrypt test was expecting decryption with a wrong key to always throw an error, but AES-256-CBC doesn't guarantee this behavior.

Root cause: AES-256-CBC is not authenticated encryption. When decrypting with a wrong key, whether it throws depends on whether the decrypted bytes happen to have valid PKCS#7 padding. Sometimes the random garbage bytes coincidentally look like valid padding, so decipher.final() succeeds without throwing.

The fix: Updated the test to accept either behavior - the decryption either throws OR returns a value different from the original plaintext. Both outcomes correctly indicate that wrong-key decryption doesn't produce the original data.

Note: The "Closing rpc while fetch was pending" error seen in CI was a secondary symptom - when this test failed, it caused Vitest workers to tear down while other modules were still loading.

Requested by: [email protected] (@keithwillcode)
Link to Devin run: https://app.devin.ai/sessions/5c48f4259a5f439a8aec25fe84d2baba

Mandatory Tasks (DO NOT REMOVE)

  • I have self-reviewed the code (A decent size PR without self-review might be rejected).
  • I have updated the developer docs in /docs if this PR makes changes that would require a documentation change. N/A - test-only change.
  • I confirm automated tests are in place that prove my fix is effective or that my feature works.

How should this be tested?

  1. Run TZ=UTC yarn test packages/lib/crypto.test.ts - all tests should pass
  2. Run the full test suite multiple times to verify no flakiness: TZ=UTC yarn test
  3. CI should pass without the "Closing rpc while fetch was pending" error

Checklist

  • I have read the contributing guide
  • My code follows the style guidelines of this project
  • I have commented my code, particularly in hard-to-understand areas
  • I have checked if my changes generate no new warnings

Human Review Checklist

  • Verify the test logic threwError || decryptedWithWrongKey !== testText correctly handles both cases
  • Confirm this is a test-only change with no modifications to production crypto code
  • Consider if future work should upgrade to authenticated encryption (AES-GCM) for better security guarantees (out of scope for this PR)

@devin-ai-integration @keithwillcode
fix: handle non-deterministic AES-256-CBC decryption in crypto test
8c78d33 
AES-256-CBC doesn't guarantee throwing on wrong key decryption - it depends
on whether the decrypted bytes happen to have valid PKCS#7 padding. The test
now verifies that decryption either throws OR returns a value different from
the original plaintext.

This fixes flaky test failures that started appearing after the Vitest 4.0
upgrade, where the 'Closing rpc while fetch was pending' error was a secondary
symptom of the test failure causing worker teardown during module loading.

Co-Authored-By: [email protected] <[email protected]>
@devin-ai-integration
Copy link
Contributor

devin-ai-integration bot commented Jan 2, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR that start with 'DevinAI' or '@devin'.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@keithwillcode keithwillcode self-assigned this Jan 2, 2026
@keithwillcode keithwillcode added this to the v6.1 milestone Jan 2, 2026
@keithwillcode keithwillcode marked this pull request as ready for review January 2, 2026 02:05
@keithwillcode keithwillcode enabled auto-merge (squash) January 2, 2026 02:05
@graphite-app graphite-app bot added core area: core, team members only foundation labels Jan 2, 2026
@graphite-app graphite-app bot requested a review from a team January 2, 2026 02:05
cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Jan 2, 2026
View reviewed changes
Copy link
Contributor

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

@keithwillcode keithwillcode changed the title fix: handle non-deterministic AES-256-CBC decryption in crypto test test: handle non-deterministic AES-256-CBC decryption in crypto test Jan 2, 2026
@keithwillcode keithwillcode merged commit 20c67ef into main Jan 2, 2026
73 of 74 checks passed
@keithwillcode keithwillcode deleted the devin/fix-crypto-test-flakiness-1767319132 branch January 2, 2026 02:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@volnei volnei volnei approved these changes

Assignees

@keithwillcode keithwillcode

Labels

core area: core, team members only foundation ready-for-e2e size/S

Projects

None yet

Milestone

v6.1

Development

Successfully merging this pull request may close these issues.

3 participants

@keithwillcode @volnei