alkdev/reverse-proxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
66cd116d54325e71dfbdd51e04bf167f7ec6353e
reverse-proxy/tasks/fix/tls-mode-wildcard-mismatch.md
glm-5.1 54f1725173 Decompose security review #003 findings into 17 fix tasks and 1 review task 
Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:

Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.

Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.

Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.

Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.

Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).

Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.
2026-06-12 13:42:37 +00:00

1.9 KiB
Raw Blame History

id, name, status, depends_on, scope, risk, impact, level, review_findings
id name status depends_on scope risk impact level review_findings
fix/tls-mode-wildcard-mismatch Add explicit listener/acceptor count check or remove TlsMode wildcard (W5) pending
single trivial isolated implementation
W5

Description

The match tls_mode in main.rs has a wildcard _ arm that logs a warning and pushes no acceptor. Then bound_listeners.into_iter().zip(tls_acceptors.into_iter()) uses zip, which silently stops at the shorter iterator. If the wildcard arm were ever reached, some listeners would have no TLS acceptor and would be silently dropped.

setup_tls already rejects unknown modes with bail!, so the wildcard is unreachable in practice. But it's a latent bug for future refactors.

Changes Required

src/main.rs (lines 170-194):

  • Option A (preferred): Remove the wildcard _ arm entirely. Since TlsMode only has two variants (Manual and Acme) and setup_tls already validates, the wildcard is dead code. Removing it means the compiler will catch future TlsMode additions.

  • Option B: Add an explicit count check after the match loop:

    if bound_listeners.len() != tls_acceptors.len() {
    anyhow::bail!("listener/acceptor count mismatch: {} listeners, {} acceptors",
        bound_listeners.len(), tls_acceptors.len());
}

    If removing the wildcard, this check is redundant but harmless as a defense-in-depth assertion.

Acceptance Criteria

  • Wildcard _ arm removed from the match tls_mode block, OR
  • Explicit count mismatch check added after the acceptor construction loop
  • cargo test passes
  • cargo clippy passes with no warnings

References

  • docs/reviews/003-security-and-bug-review.md — W5 finding
  • src/main.rs — TLS acceptor construction loop (lines 170-194)
  • src/tls/acceptor.rs — setup_tls, TlsMode enum

Notes

To be filled on completion

Summary

To be filled on completion

Reference in New Issue View Git Blame Copy Permalink