Skip to content

fix: harden security, protocol, and resource boundaries#73

Merged
fannnzhang merged 5 commits into
mainfrom
fix/security-standards-hardening
Jul 11, 2026
Merged

fix: harden security, protocol, and resource boundaries#73
fannnzhang merged 5 commits into
mainfrom
fix/security-standards-hardening

Conversation

@fannnzhang

Copy link
Copy Markdown
Contributor

Summary

Implements the full security / standards review findings for OpenWire:

Security

  • Cookie public-suffix list: default Jar embeds Mozilla PSL and rejects Domain=.com-style cookies (RFC 6265 §5.3); honors Secure
  • Compression bomb protection: transparent decode stops after 128 MiB (configurable via max_decompressed_body_bytes)
  • HTTP forward-proxy URL credentials: http://user:pass@proxy injects Proxy-Authorization on the initial request (parity with CONNECT/SOCKS)
  • CONNECT header injection: reject CR/LF/NUL in CONNECT authority and header values
  • Strict Host mode (opt-in): strict_host_header(true) rejects Host ≠ URI authority
  • Cross-origin redirect: also strips X-Api-Key, X-Auth-Token, and related token headers

Correctness / protocol

  • Do not auto-follow 300 Multiple Choices
  • Response-status retries (408 / immediate 503) default to idempotent methods only (retry_non_idempotent(true) to restore old behavior)
  • 421 misdirected retries use effective max_retries (request/client config), not only the default-policy field
  • deflate auto-detects zlib-wrapped vs raw DEFLATE
  • Dual-stack route planning prefers IPv6 first when both families are present

Performance / resources

  • Default connection caps: total 256, per-host 8
  • HTTP/2 local concurrent-stream budget: 100
  • Pool max lifetime default 600s (plus existing idle timeout)
  • MemoryCacheStore defaults: 1024 keys / 64 MiB body budget; normalized cache keys (host case + default ports)

Test plan

  • cargo test -p openwire --lib
  • cargo test -p openwire --test integration
  • cargo test -p openwire-cache --tests
  • New unit/integration coverage for PSL cookies, forward-proxy URL auth, H2 stream cap, 300 redirect, non-idempotent retry default

Address the full security/standards review: enable cookie public-suffix
rejection, cap transparent decompression, inject HTTP forward-proxy URL
credentials, bound connections/H2 streams/pool lifetime, tighten redirect
and response-status retry defaults, and document the new behavior.
Pass strict_host_header into bridge normalization from the WebSocket
handshake path (feature was untested locally without --all-features),
and apply cargo fmt so the CI gate is green.
Replace Option match ladders with ? so CI clippy 1.97 -D warnings passes.
Use ? for the optional EXPIRES header so clippy 1.97 -D warnings is clean.
Use LevelFilter::TRACE so RUST_LOG cannot suppress debug events, match
trace messages more permissively, and surface captured messages when
retry/redirect events are missing.
@fannnzhang
fannnzhang merged commit 3faff8e into main Jul 11, 2026
7 checks passed
@fannnzhang
fannnzhang deleted the fix/security-standards-hardening branch July 11, 2026 08:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant