fix(node): reject invalid VendorID/ProductID as Basic Information device identity#3978
Merged
Apollon77 merged 4 commits intoJun 25, 2026
Merged
Conversation
…ice identity VendorID 0x0000 (Matter Standard namespace) or above 0xFFF4, and ProductID 0x0000, are not valid device identities. Validate them in validateBasicInfoAttributes and throw ImplementationError. The development-default coercion on BasicInformationServer is retained, so omitted VID/PID still fall back to dev values with a warning; the new rejection is fully effective on paths without that coercion (e.g. BridgedDeviceBasicInformation) and catches out-of-range VendorIDs everywhere. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR tightens Matter device identity validation for the Basic Information cluster in @matter/node by hard-rejecting reserved/invalid VendorID and ProductID values, improving spec compliance and preventing the “VID/PID suppression sentinel” (0x0000) from being used as a real identity.
Changes:
- Added hard validation in
validateBasicInfoAttributes()to reject VendorID0x0000, VendorID> 0xFFF4, and ProductID0x0000viaImplementationError. - Added a new unit test suite covering invalid/valid VID/PID cases and the “absent attributes” case for bridged devices.
- Updated the changelog entry to reflect the new validation behavior.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| packages/node/src/behaviors/basic-information/basic-information-validators.ts | Adds strict VID/PID device-identity checks (reject reserved/invalid values). |
| packages/node/test/behaviors/basic-information/BasicInformationValidatorsTest.ts | Introduces unit tests for the new validation rules. |
| CHANGELOG.md | Documents the behavior change for @matter/node. |
Apollon77
added
the
automerge
Contributor
|
Tick the box to add this pull request to the merge queue (same as
|
Apollon77
deleted the
fix/basic-information-reject-zero-vendor-product-id
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
VendorID
0x0000(the "Matter Standard" namespace) or above0xFFF4, and ProductID0x0000, are not valid device identities.0x0000is reserved as the VID/PID suppression sentinel in discovery adverts — that only holds because a real device identity is never0.validateBasicInfoAttributes()now rejects these with anImplementationError.Behavior
BasicInformationServer: the development-default coercion is retained — omitted/0VID/PID still fall back to dev values (0xFFF1/0x8000) with a warning. At this layer0is the framework's "unset" sentinel, so it cannot be distinguished from an explicit0. The new check additionally rejects out-of-range VendorIDs (> 0xFFF4) here.BridgedDeviceBasicInformation(no coercion): explicit VID/PID0and out-of-range VID are rejected.CHIP does not enforce this either, so there is no interop break today; this is a correctness/compliance guard.
Tests
New
BasicInformationValidatorsTest.ts(6 cases): rejects VID0x0000/> 0xFFF4and PID0x0000, accepts a real identity and the lower bound, skips when absent.Gates:
@matter/nodefull suite green, format + lint clean.🤖 Generated with Claude Code