glm-5.1
54f1725173
Address 4 critical, 8 warning, and 5 suggestion findings from the security and bug review by creating atomic, dependency-ordered tasks: Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter increment + drain interval, connector timeout ceiling (ADR-026), JSON format without log file. Validation tightening (W1, W2): upstream host validation, ACME contact email validation. Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch, http_port u32→u16. Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation, TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal, root cert count logging, misleading test names. Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix). Review: post-security-fix-review checkpoint covering all critical fixes and sensitive config consolidation path.
3.0 KiB
id, name, status, depends_on, scope, risk, impact, level, review_findings
| id | name | status | depends_on | scope | risk | impact | level | review_findings | |
|---|---|---|---|---|---|---|---|---|---|
| fix/upstream-host-validation | Validate host part of upstream address in config (W1) | pending | narrow | low | component | implementation |
|
Description
is_valid_upstream checks that the upstream has a host:port format with a
valid port number, but performs no validation on the host part beyond
checking it's non-empty and doesn't start with http:// or https://. Values
like !!!bad!!!:3000 or @#$%:8080 pass validation.
The spec (config.md validation rule 17) now requires: "the host part must parse as a valid IpAddr or pass is_valid_hostname validation." Bracket-enclosed values must be parsed as IPv6 addresses.
Changes Required
src/config/validation.rs — is_valid_upstream function (lines 309-327):
-
After validating the port, validate the host part:
fn is_valid_upstream(upstream: &str) -> bool { if let Some(idx) = upstream.rfind(':') { let host_part = &upstream[..idx]; let port_str = &upstream[idx + 1..]; if host_part.is_empty() { return false; } if upstream.starts_with("http://") || upstream.starts_with("https://") { return false; } let port: u16 = match port_str.parse() { Ok(p) => p, Err(_) => return false }; if port == 0 { return false; } // Validate host part per config.md rule 17 if host_part.starts_with('[') && host_part.ends_with(']') { let inner = &host_part[1..host_part.len()-1]; inner.parse::<std::net::Ipv6Addr>().is_ok() } else { host_part.parse::<std::net::IpAddr>().is_ok() || is_valid_hostname(host_part) } } else { false } } -
Note:
is_valid_hostnamealready exists in the same file and is used for sitehostvalidation. It rejects IP addresses, which is correct for site hosts but wrong for upstream hosts — upstream hosts CAN be IPs. The upstream validation must checkIpAddr::parsefirst, then fall back tois_valid_hostnamefor DNS names. -
Add tests for:
- Valid:
gitea:3000,127.0.0.1:3000,[::1]:3000 - Invalid:
!!!bad!!!:3000,@#$%:8080,:3000(empty host)
- Valid:
Acceptance Criteria
is_valid_upstreamvalidates the host part as IP address or valid hostname- IPv6 bracket notation is handled (e.g.,
[::1]:3000) - Invalid host characters like
!!!bad!!!:3000are rejected - Valid upstream formats still pass:
gitea:3000,127.0.0.1:3000 - New unit tests for valid and invalid upstream host parts
cargo testpassescargo clippypasses with no warnings
References
- docs/architecture/config.md — validation rule 17
- docs/reviews/003-security-and-bug-review.md — W1 finding
- src/config/validation.rs —
is_valid_upstream,is_valid_hostname
Notes
is_valid_hostnamecurrently rejects IP addresses (intentional for site hosts). The upstream validation must handle IPs separately before falling back tois_valid_hostname.
Summary
To be filled on completion