helper-rust: extend forceful disconnect detection to ECONNRESET and EPIPE

cataphract · cataphract · commit 3124fa7fffb8 · 2026-04-15T16:19:09.000+01:00
Rename is_incomplete_stream_error to is_forceful_disconnect_error and
extend it to also treat ECONNRESET and EPIPE as forceful disconnects.
On Linux, ECONNRESET is delivered to the peer when a Unix socket is
closed while its receive buffer is non-empty (unix_release_sock),
indicating the client crashed or was killed after we sent our response —
a connectivity issue, not a protocol error.

Also remove redundant `git config --global --add safe.directory '*'`
calls from integration Docker build tasks.
diff --git a/appsec/helper-rust/src/client.rs b/appsec/helper-rust/src/client.rs
@@ -876,7 +876,7 @@ async fn recv_command(
                     Ok(msg)
                 }
                 Some(Err(err)) => {
-                    if is_incomplete_stream_error(&err) {
+                    if is_forceful_disconnect_error(&err) {
                         Err(ForcefulDisconnect(err).into())
                     } else {
                         // Protocol error: invalid header marker, bad msgpack, unknown command
@@ -901,10 +901,20 @@ async fn recv_command(
     }
 }
 
-fn is_incomplete_stream_error(err: &io::Error) -> bool {
-    // tokio_util's FramedRead returns this specific error when EOF is reached
-    // with bytes still in the decode buffer
-    err.kind() == io::ErrorKind::Other && err.to_string().contains("bytes remaining on stream")
+fn is_forceful_disconnect_error(err: &io::Error) -> bool {
+    // tokio_util's FramedRead returns this when EOF is reached mid-message.
+    if err.kind() == io::ErrorKind::Other && err.to_string().contains("bytes remaining on stream") {
+        return true;
+    }
+    matches!(
+        err.kind(),
+        // Linux sends ECONNRESET to the peer when a Unix socket is closed while its receive
+        // buffer is non-empty (unix_release_sock). This is a connectivity issue, not a protocol
+        // error: the client crashed or was killed after we sent our response.
+        io::ErrorKind::ConnectionReset |
+        // EPIPE on a recv is unusual but handle it symmetrically with send_command_resp.
+        io::ErrorKind::BrokenPipe
+    )
 }
 
 async fn send_command_resp(
diff --git a/appsec/tests/integration/build.gradle b/appsec/tests/integration/build.gradle
@@ -388,7 +388,6 @@ def buildTracerCmakeTask = { String version, String variant, altBaseTag = null -
             command: [
                     '-e', '-c',
                     """
-                    git config --global --add safe.directory '*'
                     cd /project/tmp
                     mkdir -p build_extension/modules
                     test -f CMakeCache.txt || \\
@@ -485,7 +484,6 @@ def buildTracerSsiCmakeTask = { String version, String variant ->
             command: [
                     '-e', '-c',
                     """
-                    git config --global --add safe.directory '*'
                     cd /tracer-ssi
                     test -f CMakeCache.txt || \\
                         cmake -DCMAKE_BUILD_TYPE=${buildType} \\
@@ -567,7 +565,6 @@ def buildAppSecTask = { String version, String variant, altBaseTag = null ->
             command: [
                     '-e', '-c',
                     """
-                    git config --global --add safe.directory '*'
                     cd /appsec
                     test -f CMakeCache.txt || \\
                         cmake -DCMAKE_BUILD_TYPE=$buildType \\
@@ -862,8 +859,6 @@ buildRunInDockerTask(
         command: [
                 '-e', '-c',
                 """
-                git config --global --add safe.directory '*'
-
                 mkdir -p /tmp/libddwaf-build
                 cd /tmp/libddwaf-build
                 cmake -DCMAKE_BUILD_TYPE=RelWithDebInfo \\
@@ -893,7 +888,6 @@ def helperRustInputs = [
 ]
 
 def helperRustEnvSetup = '''
-git config --global --add safe.directory '*'
 export PATH="/root/.cargo/bin:$PATH"
 export RUSTUP_HOME=/root/.rustup
 export CARGO_HOME=/root/.cargo
