[codex] Harden proxy security review findings (#36)

* Harden proxy security review findings

* Support dynamic upstream snapshots

Author: chrislearn

Cargo.lock

@@ -42,6 +42,7 @@ hyper-rustls = { version = "0.27", default-features = false, features = [
     "http1",
     "http2",
     "logging",
+    "webpki-roots",
 ] }
 certon = { version = "0.1.3" }
 kdl = "6"

Cargo.toml

@@ -0,0 +1,14 @@
+# Security and Code Review Todos
+
+## This pass
+
+- [x] Use real trust roots for HTTPS upstream certificate verification unless `tls-skip-verify` is explicitly enabled.
+- [x] Avoid buffering reverse-proxy request bodies when retries are disabled.
+- [x] Block CGI script resolution outside the configured CGI root and add focused tests.
+- [x] Harden template `include` path resolution so configured roots cannot be escaped, and preserve UTF-8 while scanning templates.
+- [x] Bound admin API JSON request bodies to prevent unbounded memory growth.
+- [x] Add focused documentation for HTTPS upstream verification and admin API token exposure.
+
+## Follow-up review findings
+
+- [x] Dynamic DNS/SRV upstreams are parsed and documented, but the current `UpstreamPool` selection path is static. This needs a separate design that reconciles dynamic backend snapshots with health checks, connection counters, weighted policies, and retries.

_todos.md

@@ -10,7 +10,7 @@ use std::net::SocketAddr;
 use std::sync::Arc;
 
 use http::{Request, Response, StatusCode};
-use http_body_util::BodyExt;
+use http_body_util::{BodyExt, LengthLimitError, Limited};
 use hyper::body::Incoming;
 use hyper::service::service_fn;
 use hyper_util::rt::{TokioIo, TokioTimer};
@@ -27,6 +27,8 @@ use crate::runtime_services::{
 use crate::server::{AppState, RuntimeStateError};
 use crate::{Body, ProxyError, full_body};
 
+const MAX_ADMIN_JSON_BODY_SIZE: usize = 1024 * 1024;
+
 #[derive(serde::Serialize)]
 struct RuntimeTargetView {
     service_id: String,
@@ -999,9 +1001,18 @@ async fn json_body<T>(req: Request<Incoming>) -> Result<T, Response<Body>>
 where
     T: serde::de::DeserializeOwned,
 {
-    let body_bytes = match req.into_body().collect().await {
+    let body_bytes = match Limited::new(req.into_body(), MAX_ADMIN_JSON_BODY_SIZE)
+        .collect()
+        .await
+    {
         Ok(collected) => collected.to_bytes(),
         Err(error) => {
+            if error.downcast_ref::<LengthLimitError>().is_some() {
+                return Err(json_response(
+                    StatusCode::PAYLOAD_TOO_LARGE,
+                    r#"{"error":"request body too large"}"#,
+                ));
+            }
             return Err(json_response(
                 StatusCode::BAD_REQUEST,
                 &format!(r#"{{"error":"failed to read body: {error}"}}"#),

crates/core/src/admin/mod.rs

@@ -1,4 +1,4 @@
-use std::path::{Path, PathBuf};
+use std::path::{Component, Path, PathBuf};
 
 use bytes::Bytes;
 use http::header::{CONTENT_LENGTH, CONTENT_TYPE, HOST};
@@ -159,8 +159,12 @@ fn process_template(input: &str, vars: &TemplateVars, root: &Option<PathBuf>) ->
             }
         }
 
-        result.push(bytes[i] as char);
-        i += 1;
+        let ch = input[i..]
+            .chars()
+            .next()
+            .expect("index is always on a UTF-8 character boundary");
+        result.push(ch);
+        i += ch.len_utf8();
     }
 
     result
@@ -214,27 +218,11 @@ fn resolve_tag(tag: &str, vars: &TemplateVars, root: &Option<PathBuf>) -> String
 
 /// Read and return the contents of an included file.
 fn resolve_include(path_str: &str, root: &Option<PathBuf>) -> String {
-    let path = Path::new(path_str);
-
-    // If the path is relative and root is set, resolve relative to root.
-    let full_path = if path.is_relative() {
-        match root {
-            Some(root_dir) => root_dir.join(path),
-            None => PathBuf::from(path),
-        }
-    } else {
-        PathBuf::from(path)
+    let Some(full_path) = resolve_include_path(path_str, root) else {
+        debug!(path = path_str, "blocked template include outside root");
+        return String::new();
     };
 
-    // Prevent path traversal in includes.
-    let path_str_normalized = full_path.to_string_lossy().replace('\\', "/");
-    for component in path_str_normalized.split('/') {
-        if component == ".." {
-            debug!(path = %full_path.display(), "blocked include with path traversal");
-            return String::new();
-        }
-    }
-
     match std::fs::read_to_string(&full_path) {
         Ok(contents) => {
             debug!(path = %full_path.display(), "included template file");
@@ -246,3 +234,77 @@ fn resolve_include(path_str: &str, root: &Option<PathBuf>) -> String {
         }
     }
 }
+
+fn resolve_include_path(path_str: &str, root: &Option<PathBuf>) -> Option<PathBuf> {
+    let path = Path::new(path_str);
+    if has_forbidden_path_components(path) {
+        return None;
+    }
+
+    match root {
+        Some(root_dir) => {
+            if path.is_absolute() {
+                return None;
+            }
+            let root = root_dir.canonicalize().ok()?;
+            let candidate = root.join(path).canonicalize().ok()?;
+            if candidate.starts_with(&root) {
+                Some(candidate)
+            } else {
+                None
+            }
+        }
+        None => Some(path.to_path_buf()),
+    }
+}
+
+fn has_forbidden_path_components(path: &Path) -> bool {
+    path.components().any(|component| {
+        matches!(
+            component,
+            Component::ParentDir | Component::RootDir | Component::Prefix(_)
+        )
+    })
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn vars() -> TemplateVars {
+        TemplateVars {
+            host: "example.com".to_string(),
+            path: "/hello".to_string(),
+            method: "GET".to_string(),
+            scheme: "https".to_string(),
+            client_ip: "127.0.0.1".to_string(),
+            query: "a=1".to_string(),
+            uri: "/hello?a=1".to_string(),
+            remote_addr: "127.0.0.1:1234".to_string(),
+            server_name: "example.com".to_string(),
+        }
+    }
+
+    #[test]
+    fn process_template_preserves_utf8_text() {
+        let rendered = process_template("你好 {{path}}", &vars(), &None);
+
+        assert_eq!(rendered, "你好 /hello");
+    }
+
+    #[test]
+    fn include_path_must_stay_under_configured_root() {
+        let dir = tempfile::tempdir().unwrap();
+        let include = dir.path().join("fragment.html");
+        std::fs::write(&include, "ok").unwrap();
+
+        let root = Some(dir.path().to_path_buf());
+
+        assert_eq!(
+            resolve_include_path("fragment.html", &root),
+            Some(include.canonicalize().unwrap())
+        );
+        assert!(resolve_include_path("../secret.html", &root).is_none());
+        assert!(resolve_include_path(include.to_str().unwrap(), &root).is_none());
+    }
+}

crates/core/src/hoops/templates.rs

@@ -5,7 +5,7 @@
 //! as a CGI-style response (headers followed by body).
 
 use std::collections::HashMap;
-use std::path::PathBuf;
+use std::path::{Component, Path, PathBuf};
 use std::process::Stdio;
 
 use http::{Response, StatusCode};
@@ -66,13 +66,19 @@ impl CgiHandler {
         client_addr: std::net::SocketAddr,
     ) -> Result<Response<crate::Body>, ProxyError> {
         let path = request.uri().path().to_string();
-        let script_path = self.root.join(path.trim_start_matches('/'));
-
-        if !script_path.exists() {
-            return Ok(Response::builder()
-                .status(StatusCode::NOT_FOUND)
-                .body(full_body("Not Found"))?);
-        }
+        let script_path = match resolve_script_path(&self.root, &path) {
+            Ok(script_path) => script_path,
+            Err(CgiPathError::NotFound) => {
+                return Ok(Response::builder()
+                    .status(StatusCode::NOT_FOUND)
+                    .body(full_body("Not Found"))?);
+            }
+            Err(CgiPathError::Forbidden) => {
+                return Ok(Response::builder()
+                    .status(StatusCode::FORBIDDEN)
+                    .body(full_body("Forbidden"))?);
+            }
+        };
 
         // Collect the request body before decomposing the request.
         let (parts, body) = request.into_parts();
@@ -163,6 +169,79 @@ impl CgiHandler {
     }
 }
 
+// ---------------------------------------------------------------------------
+// CGI path resolution
+// ---------------------------------------------------------------------------
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq)]
+enum CgiPathError {
+    NotFound,
+    Forbidden,
+}
+
+fn resolve_script_path(root: &Path, uri_path: &str) -> Result<PathBuf, CgiPathError> {
+    let decoded_path = percent_decode_path(uri_path).ok_or(CgiPathError::Forbidden)?;
+    if has_forbidden_path_components(Path::new(decoded_path.trim_start_matches('/'))) {
+        return Err(CgiPathError::Forbidden);
+    }
+
+    let candidate = root.join(uri_path.trim_start_matches('/'));
+    let root = root.canonicalize().map_err(|_| CgiPathError::NotFound)?;
+    let script = candidate
+        .canonicalize()
+        .map_err(|_| CgiPathError::NotFound)?;
+
+    if !script.starts_with(&root) {
+        return Err(CgiPathError::Forbidden);
+    }
+    if !script.is_file() {
+        return Err(CgiPathError::NotFound);
+    }
+
+    Ok(script)
+}
+
+fn has_forbidden_path_components(path: &Path) -> bool {
+    path.components().any(|component| {
+        matches!(
+            component,
+            Component::ParentDir | Component::RootDir | Component::Prefix(_)
+        )
+    })
+}
+
+fn percent_decode_path(path: &str) -> Option<String> {
+    let bytes = path.as_bytes();
+    let mut output = Vec::with_capacity(bytes.len());
+    let mut i = 0;
+
+    while i < bytes.len() {
+        if bytes[i] == b'%' {
+            if i + 2 >= bytes.len() {
+                return None;
+            }
+            let hi = hex_value(bytes[i + 1])?;
+            let lo = hex_value(bytes[i + 2])?;
+            output.push((hi << 4) | lo);
+            i += 3;
+        } else {
+            output.push(bytes[i]);
+            i += 1;
+        }
+    }
+
+    String::from_utf8(output).ok()
+}
+
+fn hex_value(byte: u8) -> Option<u8> {
+    match byte {
+        b'0'..=b'9' => Some(byte - b'0'),
+        b'a'..=b'f' => Some(byte - b'a' + 10),
+        b'A'..=b'F' => Some(byte - b'A' + 10),
+        _ => None,
+    }
+}
+
 // ---------------------------------------------------------------------------
 // CGI response parsing (shared with SCGI)
 // ---------------------------------------------------------------------------
@@ -268,4 +347,29 @@ mod tests {
         let resp = parse_cgi_response(data).unwrap();
         assert_eq!(resp.status(), 200);
     }
+
+    #[test]
+    fn resolve_script_path_allows_files_under_root() {
+        let dir = tempfile::tempdir().unwrap();
+        let script = dir.path().join("run.cgi");
+        std::fs::write(&script, "echo ok").unwrap();
+
+        let resolved = resolve_script_path(dir.path(), "/run.cgi").unwrap();
+
+        assert_eq!(resolved, script.canonicalize().unwrap());
+    }
+
+    #[test]
+    fn resolve_script_path_rejects_parent_escape() {
+        let dir = tempfile::tempdir().unwrap();
+        let outside = dir.path().parent().unwrap().join("outside-gatel-cgi-test");
+        std::fs::write(&outside, "echo outside").unwrap();
+
+        let result = resolve_script_path(dir.path(), "/../outside-gatel-cgi-test");
+        let encoded = resolve_script_path(dir.path(), "/%2e%2e/outside-gatel-cgi-test");
+
+        std::fs::remove_file(&outside).unwrap();
+        assert_eq!(result, Err(CgiPathError::Forbidden));
+        assert_eq!(encoded, Err(CgiPathError::Forbidden));
+    }
 }

crates/core/src/proxy/cgi.rs

@@ -1,9 +1,9 @@
 //! DNS-based dynamic upstream resolution.
 //!
 //! Periodically resolves a DNS name and updates an `UpstreamPool` with the
-//! resulting addresses.  Currently supports A/AAAA records via
-//! `tokio::net::lookup_host`; SRV record support is planned as a future
-//! extension.
+//! resulting addresses. Currently supports A/AAAA records via
+//! `tokio::net::lookup_host`; DNS SRV records are handled by
+//! `crate::proxy::srv_upstream`.
 
 use std::sync::Arc;
 use std::sync::atomic::{AtomicBool, AtomicUsize};
@@ -23,7 +23,7 @@ use super::upstream::Backend;
 pub enum DnsRecordType {
     /// A and AAAA records.  The port is taken from configuration.
     A,
-    /// SRV records (future extension).  Port comes from the SRV record.
+    /// SRV records. Port comes from the SRV record.
     SRV,
 }