alkdev/reverse-proxy
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e6d22bdcb8942cb4c93e661d5cadcfe61280ee2e
reverse-proxy/tasks/review/post-security-fix-review.md
glm-5.1 54f1725173 Decompose security review #003 findings into 17 fix tasks and 1 review task 
Address 4 critical, 8 warning, and 5 suggestion findings from the
security and bug review by creating atomic, dependency-ordered tasks:

Critical fixes (C1-C4): rate limiter IP source (ADR-025), InFlightCounter
increment + drain interval, connector timeout ceiling (ADR-026), JSON format
without log file.

Validation tightening (W1, W2): upstream host validation, ACME contact email
validation.

Robustness (W3, W4, W5, W12): upstream URI error handling (502 not silent
drop), admin socket resource limits (ADR-027), TlsMode wildcard mismatch,
http_port u32→u16.

Code quality (W6, W10, W11, S1, S3, W8/W9): config type consolidation,
TokenBucket field visibility, reload_mutex #[cfg(test)], dead code removal,
root cert count logging, misleading test names.

Test coverage (S10): rate limiter ConnectInfo tests (depends on C1 fix).

Review: post-security-fix-review checkpoint covering all critical fixes
and sensitive config consolidation path.
2026-06-12 13:42:37 +00:00

60 lines
2.2 KiB
Markdown
Raw Blame History

---
id: review/post-security-fix-review
name: Review security fix implementations before production consideration
status: pending
depends_on:
- fix/rate-limiter-ip-source
- fix/inflight-counter-increment
- fix/connector-timeout-ceiling
- fix/json-format-without-logfile
- fix/upstream-host-validation
- fix/acme-contact-validation
- fix/upstream-uri-error-handling
- fix/admin-socket-resource-limits
- fix/consolidate-config-types
- fix/rate-limiter-connectinfo-tests
scope: moderate
risk: low
impact: project
level: review
---
## Description
Review all security and bug fix implementations from Review #003 before
considering them production-ready. Verify that the fixes correctly implement
the architecture decisions (ADR-025, ADR-026, ADR-027) and the updated spec
documents.
## Acceptance Criteria
- [ ] C1 fix: Rate limiter uses ConnectInfo only, rejects without it (ADR-025)
- [ ] C2 fix: InFlightCounter increments before task spawn, drain polls 100ms
- [ ] C3 fix: Connector ceiling is 30s, per-site timeouts work >5s (ADR-026)
- [ ] C4 fix: JSON format applied in stdout-only path
- [ ] W1 fix: Upstream host part validated (DNS name or IP, IPv6 brackets)
- [ ] W2 fix: ACME contact email validated (non-empty, contains @)
- [ ] W3 fix: URI parse failure returns 502, never drops query string silently
- [ ] W4 fix: Admin socket has 5s timeout and 4096 byte line limit (ADR-027)
- [ ] W6 fix: RawConfig eliminated, FullConfig used in both paths
- [ ] S10 fix: Rate limit tests use ConnectInfo, verify XFF is ignored
- [ ] All `cargo test` passes
- [ ] All `cargo clippy` passes with no warnings
- [ ] No regressions in integration tests
## References
- docs/reviews/003-security-and-bug-review.md — all findings
- docs/architecture/decisions/025-rate-limiter-ip-source.md — ADR-025
- docs/architecture/decisions/026-connector-timeout-ceiling.md — ADR-026
- docs/architecture/decisions/027-admin-socket-resource-limits.md — ADR-027
## Notes
> This review covers the critical security fixes and the sensitive config
> consolidation. It should be the last task before the generation 4+ code
> quality items are considered final.
## Summary
> To be filled on completion
Reference in New Issue View Git Blame Copy Permalink