glm-5.1
54f1725173
Address 4 critical, 8 warning, and 5 suggestion findings from the security and bug review by creating atomic, dependency-ordered tasks: Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter increment + drain interval, connector timeout ceiling (ADR-026), JSON format without log file. Validation tightening (W1, W2): upstream host validation, ACME contact email validation. Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch, http_port u32→u16. Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation, TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal, root cert count logging, misleading test names. Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix). Review: post-security-fix-review checkpoint covering all critical fixes and sensitive config consolidation path.
68 lines
2.1 KiB
Markdown
68 lines
2.1 KiB
Markdown
---
|
|
id: fix/acme-contact-validation
|
|
name: Validate ACME contact email has non-empty address with @ sign (W2)
|
|
status: pending
|
|
depends_on: []
|
|
scope: single
|
|
risk: trivial
|
|
impact: isolated
|
|
level: implementation
|
|
review_findings: [W2]
|
|
---
|
|
|
|
## Description
|
|
|
|
The ACME contact validation only checks that `contact.starts_with("mailto:")`
|
|
but doesn't verify there's an actual email address after the prefix. Values
|
|
like `mailto:` (empty email) pass validation but will fail at the Let's Encrypt
|
|
API at certificate provisioning time — after the proxy has already started.
|
|
|
|
The spec (config.md validation rule 19) now requires: "a valid `mailto:` URI
|
|
with a non-empty email address containing an `@` sign."
|
|
|
|
### Changes Required
|
|
|
|
**`src/config/validation.rs`** — ACME contact validation (lines 148-153):
|
|
- After checking `starts_with("mailto:")`, validate the email part:
|
|
```rust
|
|
let contact = &listener.tls.acme_contact;
|
|
if contact.is_empty() || !contact.starts_with("mailto:") {
|
|
errors.push(ValidationError::AcmeContactInvalid {
|
|
bind_addr: listener.bind_addr.clone(),
|
|
});
|
|
} else {
|
|
let email = &contact[7..]; // after "mailto:"
|
|
if email.is_empty() || !email.contains('@') {
|
|
errors.push(ValidationError::AcmeContactInvalid {
|
|
bind_addr: listener.bind_addr.clone(),
|
|
});
|
|
}
|
|
}
|
|
```
|
|
- Add tests for:
|
|
- Valid: `mailto:admin@example.com`
|
|
- Invalid: `mailto:` (empty), `mailto:user` (no @), empty string, non-mailto
|
|
|
|
## Acceptance Criteria
|
|
|
|
- [ ] `mailto:` (empty email) is rejected by validation
|
|
- [ ] `mailto:user` (no @ sign) is rejected by validation
|
|
- [ ] `mailto:admin@example.com` still passes validation
|
|
- [ ] Non-mailto values still rejected
|
|
- [ ] New unit tests for the tightened validation
|
|
- [ ] `cargo test` passes
|
|
- [ ] `cargo clippy` passes with no warnings
|
|
|
|
## References
|
|
|
|
- docs/architecture/config.md — validation rule 19
|
|
- docs/reviews/003-security-and-bug-review.md — W2 finding
|
|
- src/config/validation.rs — ACME contact validation, existing tests
|
|
|
|
## Notes
|
|
|
|
> To be filled on completion
|
|
|
|
## Summary
|
|
|
|
> To be filled on completion |