reverse-proxy/tasks/fix/acme-contact-validation.md at db982e9c4d01fc96e6d2efd2ac949bf5511e8883

Files

glm-5.1 54f1725173 Decompose security review #003 findings into 17 fix tasks and 1 review task

Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:

Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.

Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.

Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.

Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.

Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).

Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.

2026-06-12 13:42:37 +00:00

2.1 KiB

Raw Blame History

id, name, status, depends_on, scope, risk, impact, level, review_findings

name

status

depends_on

scope

risk

impact

level

review_findings

fix/acme-contact-validation

Validate ACME contact email has non-empty address with @ sign (W2)

pending

single

trivial

isolated

implementation

Description

The ACME contact validation only checks that contact.starts_with("mailto:") but doesn't verify there's an actual email address after the prefix. Values like mailto: (empty email) pass validation but will fail at the Let's Encrypt API at certificate provisioning time — after the proxy has already started.

The spec (config.md validation rule 19) now requires: "a valid mailto: URI with a non-empty email address containing an @ sign."

Changes Required

src/config/validation.rs — ACME contact validation (lines 148-153):

After checking starts_with("mailto:"), validate the email part:

let contact = &listener.tls.acme_contact;
if contact.is_empty() || !contact.starts_with("mailto:") {
    errors.push(ValidationError::AcmeContactInvalid {
        bind_addr: listener.bind_addr.clone(),
    });
} else {
    let email = &contact[7..]; // after "mailto:"
    if email.is_empty() || !email.contains('@') {
        errors.push(ValidationError::AcmeContactInvalid {
            bind_addr: listener.bind_addr.clone(),
        });
    }
}

Add tests for:
- Valid: mailto:admin@example.com
- Invalid: mailto: (empty), mailto:user (no @), empty string, non-mailto

Acceptance Criteria

mailto: (empty email) is rejected by validation
mailto:user (no @ sign) is rejected by validation
mailto:admin@example.com still passes validation
Non-mailto values still rejected
New unit tests for the tightened validation
cargo test passes
cargo clippy passes with no warnings

References

docs/architecture/config.md — validation rule 19
docs/reviews/003-security-and-bug-review.md — W2 finding
src/config/validation.rs — ACME contact validation, existing tests

Notes

To be filled on completion

Summary