alkdev/reverse-proxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Decompose security review #003 findings into 17 fix tasks and 1 review task

Browse Source 
Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:

Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.

Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.

Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.

Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.

Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).

Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.
This commit is contained in:
glm-5.1
2026-06-12 13:42:37 +00:00
parent 80d1fd0fb3
commit 54f1725173
18 changed files with 1282 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

96
tasks/fix/remove-dead-code-remnants.md Normal file
View File

@@ -0,0 +1,96 @@
---
id: fix/remove-dead-code-remnants
name: Remove dead code items identified in security review #003 (S1)
status: pending
depends_on: []
scope: narrow
risk: trivial
impact: component
level: implementation
review_findings: [S1]
---
## Description
Security review #003 identifies the following dead code items that survived the
previous `fix/clean-dead-code` task. These items are defined but never called in
production code:
| Item | File | Note |
|------|------|------|
| `log_rate_limit!` macro | `src/logging/format.rs:72-83` | Rate limiter uses `warn!` directly |
| `log_config_reload!` macro | `src/logging/format.rs:97-106` | Reload uses `info!`/`warn!` directly |
| `format_event_fields()` | `src/logging/format.rs:50-54` | Never called |
| `ProxyError::PayloadTooLarge` | `src/proxy/error.rs:12` | Body limit returns tuple directly |
| `ProxyError::NotFound` | `src/proxy/error.rs:20` | Code uses `UnknownHost` instead |
| `ProxyError::BadRequest` | `src/proxy/error.rs:22` | Code uses `MissingHost` instead |
| `ProxyError::UpstreamTls` | `src/proxy/error.rs:28` | Never constructed |
| `build_multi_domain_server_config()` | `src/tls/config.rs:78-102` | Never called |
| `SniCertResolver` | `src/tls/config.rs:104-126` | Only used by above |
| `AcmeTlsConfig::directory_url()` | `src/tls/acme.rs:53-59` | Only used in tests |
### Changes Required
For each item, either wire it up (if it should be used) or remove it:
**Logging macros** (`src/logging/format.rs`):
- `log_rate_limit!`: The rate limiter middleware now uses `warn!` directly.
Remove the macro and its test invocation in `log_macros_compile`.
- `log_config_reload!`: The admin socket reload uses `info!`/`warn!` directly.
Remove the macro and its test invocation.
- `format_event_fields()`: Never called externally. Remove it.
**ProxyError variants** (`src/proxy/error.rs`):
- `PayloadTooLarge`: Not used by body limit middleware (returns tuple directly).
Keep for now with a comment explaining it's reserved for future use, OR remove
if no plan to use it. The `#[non_exhaustive]` attribute means removing a variant
is not a breaking change for external consumers.
- `NotFound`: Superseded by `UnknownHost`. Remove and update `status_code()` and
`body()` match arms.
- `BadRequest`: Superseded by `MissingHost`. Remove and update match arms.
- `UpstreamTls`: Never constructed. Remove and update match arms.
- Update unit tests that reference removed variants.
**TLS dead code** (`src/tls/config.rs`, `src/tls/acme.rs`):
- `build_multi_domain_server_config()`: Remove function.
- `SniCertResolver`: Remove struct and impl (only used by above function).
- `AcmeTlsConfig::directory_url()`: Check if it's used in tests. If only in
tests, gate with `#[cfg(test)]`. If truly unused, remove.
**Test helpers** (`tests/helpers/http_test_helper.rs`):
- `TestUpstream::url()`, `TestUpstream::upstream_addr()`: Currently annotated
`#[allow(dead_code)]`. If not used in any test, remove. If used, remove the
`#[allow(dead_code)]` annotation.
## Acceptance Criteria
- [ ] `log_rate_limit!` and `log_config_reload!` macros removed
- [ ] `format_event_fields()` removed
- [ ] Unused `ProxyError` variants removed (`NotFound`, `BadRequest`, `UpstreamTls`)
- [ ] `PayloadTooLarge` either removed or documented with a TODO comment
- [ ] `build_multi_domain_server_config()` and `SniCertResolver` removed
- [ ] `directory_url()` either `#[cfg(test)]`-gated or removed
- [ ] Dead test helper methods removed or `#[allow(dead_code)]` removed
- [ ] All match arms in `ProxyError` methods updated for removed variants
- [ ] All unit tests updated for removed variants
- [ ] `cargo test` passes
- [ ] `cargo clippy` passes with no warnings
## References
- docs/reviews/003-security-and-bug-review.md — S1 finding
- src/logging/format.rs — dead macros and function
- src/proxy/error.rs — unused ProxyError variants
- src/tls/config.rs — dead TLS functions
- src/tls/acme.rs — directory_url method
- tests/helpers/http_test_helper.rs — dead_code-annotated helpers
## Notes
> The previous `fix/clean-dead-code` task added `#[non_exhaustive]` and removed
> some dead code. This task addresses the items that survived that round or were
> newly identified in review #003.
## Summary
> To be filled on completion