alkdev/reverse-proxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8ac39d9cd8a142c914a41d632cd855fa6284844a
reverse-proxy/tasks/fix/upstream-host-validation.md
glm-5.1 54f1725173 Decompose security review #003 findings into 17 fix tasks and 1 review task 
Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:

Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.

Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.

Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.

Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.

Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).

Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.
2026-06-12 13:42:37 +00:00

83 lines
3.0 KiB
Markdown
Raw Blame History

---
id: fix/upstream-host-validation
name: Validate host part of upstream address in config (W1)
status: pending
depends_on: []
scope: narrow
risk: low
impact: component
level: implementation
review_findings: [W1]
---
## Description
`is_valid_upstream` checks that the upstream has a `host:port` format with a
valid port number, but performs **no validation on the host part** beyond
checking it's non-empty and doesn't start with `http://` or `https://`. Values
like `!!!bad!!!:3000` or `@#$%:8080` pass validation.
The spec (config.md validation rule 17) now requires: "the host part must parse
as a valid IpAddr or pass is_valid_hostname validation." Bracket-enclosed values
must be parsed as IPv6 addresses.
### Changes Required
**`src/config/validation.rs`** — `is_valid_upstream` function (lines 309-327):
- After validating the port, validate the host part:
```rust
fn is_valid_upstream(upstream: &str) -> bool {
if let Some(idx) = upstream.rfind(':') {
let host_part = &upstream[..idx];
let port_str = &upstream[idx + 1..];
if host_part.is_empty() { return false; }
if upstream.starts_with("http://") || upstream.starts_with("https://") { return false; }
let port: u16 = match port_str.parse() { Ok(p) => p, Err(_) => return false };
if port == 0 { return false; }
// Validate host part per config.md rule 17
if host_part.starts_with('[') && host_part.ends_with(']') {
let inner = &host_part[1..host_part.len()-1];
inner.parse::<std::net::Ipv6Addr>().is_ok()
} else {
host_part.parse::<std::net::IpAddr>().is_ok() || is_valid_hostname(host_part)
}
} else {
false
}
}
```
- Note: `is_valid_hostname` already exists in the same file and is used for site
`host` validation. It rejects IP addresses, which is correct for site hosts
but wrong for upstream hosts — upstream hosts CAN be IPs. The upstream
validation must check `IpAddr::parse` first, then fall back to
`is_valid_hostname` for DNS names.
- Add tests for:
- Valid: `gitea:3000`, `127.0.0.1:3000`, `[::1]:3000`
- Invalid: `!!!bad!!!:3000`, `@#$%:8080`, `:3000` (empty host)
## Acceptance Criteria
- [ ] `is_valid_upstream` validates the host part as IP address or valid hostname
- [ ] IPv6 bracket notation is handled (e.g., `[::1]:3000`)
- [ ] Invalid host characters like `!!!bad!!!:3000` are rejected
- [ ] Valid upstream formats still pass: `gitea:3000`, `127.0.0.1:3000`
- [ ] New unit tests for valid and invalid upstream host parts
- [ ] `cargo test` passes
- [ ] `cargo clippy` passes with no warnings
## References
- docs/architecture/config.md — validation rule 17
- docs/reviews/003-security-and-bug-review.md — W1 finding
- src/config/validation.rs — `is_valid_upstream`, `is_valid_hostname`
## Notes
> `is_valid_hostname` currently rejects IP addresses (intentional for site
> hosts). The upstream validation must handle IPs separately before falling
> back to `is_valid_hostname`.
## Summary
> To be filled on completion
Reference in New Issue View Git Blame Copy Permalink