Networking: test anchors for un-pinned architectural properties (SSRF rebinding, Connection: close, happy-path TLS) #483

New issue

Closed

opened 2026-05-13 17:03:56 +00:00 by navicore · 1 comment

navicore commented 2026-05-13 17:03:56 +00:00

Owner

Copy link

Networking — test anchors for un-pinned architectural properties

Three test gaps from the PR1–PR5 reviews where the property holds in current code but no test would catch a regression. Reviewers flagged these as "deferrable but worth pinning" or "the strongest security win of the design with no test anchoring it."

Items

• SSRF DNS-rebinding-closure regression test (deferred from PR4 #480)

  "The architectural property — that addrs are validated then dialled without a second DNS lookup — is the actual security win here. … If a future refactor passes host: String to connect instead of addrs: Vec<IpAddr>, the property silently regresses with no test catching it."
  — PR4 second-pass review, "Still open" section

  Approach: add a #[cfg(test)] injection point in dns::resolve that returns scripted responses on successive calls. Test mocks the resolver to return a safe IP on the first call (which the SSRF check accepts) and a dangerous IP (e.g. 127.0.0.1) on the second. Then issue a request and assert that the dial went to the first IP — the validated one — not the second. A regression that passes host: String to connect and re-resolves there would fail this test loudly. Small.

• Connection: close pool-eviction test (deferred from PR4 #480)
  Today's integration test server (http_client/integration_tests.rs::spawn_test_server) only emits Connection: keep-alive. Would catch a future regression where the response's keep_alive=false is silently ignored on the pool release path.

  Approach: add a CloseOnce variant to ServerMode that emits Connection: close and closes the socket after one response. Test issues two requests to the same host and asserts accept_count == 2 (proving the pool didn't try to reuse a doomed entry). ~15 lines on top of the existing ServerMode enum. Small.

• Happy-path TLS integration test with same-process rustls server (deferred from PR3 #479)

  "If you can stand up a same-process rustls server with a self-signed cert and a custom RootCertStore in the test (it's ~30 lines of glue), the happy-path coverage closes that gap without external network. Optional — but the longer the success path goes unexercised the more room for handshake-shape regressions to slip in."
  — PR3 review

  PR4's HTTPS coverage exercises real-world TLS implicitly (manual verification against https://example.com), but a hermetic test against a same-process rustls server with a fixture self-signed cert + custom RootCertStore would pin the handshake-shape against rustls upgrades. Needs:

  • Fixture cert + key files in tests/fixtures/ or generated at test time.
  • A cfg(test) path that lets the runtime use a non-default RootCertStore (custom CA) instead of webpki-roots.
  • Same-process server glue using rustls server-side.

  Medium.

Rough scope

One day. One PR. Mostly test code; the only production change is whatever harness needs to land for the rebinding test (probably a #[cfg(test)] injection point in dns::resolve) and the cfg(test) trust-root override for the TLS happy-path test.

## Networking — test anchors for un-pinned architectural properties Three test gaps from the PR1–PR5 reviews where the property holds in current code but no test would catch a regression. Reviewers flagged these as "deferrable but worth pinning" or "the strongest security win of the design with no test anchoring it." ### Items - **SSRF DNS-rebinding-closure regression test** (deferred from PR4 #480) > "The architectural property — that `addrs` are validated *then* dialled without a second DNS lookup — is the actual security win here. … If a future refactor passes `host: String` to connect instead of `addrs: Vec<IpAddr>`, the property silently regresses with no test catching it." > — PR4 second-pass review, "Still open" section Approach: add a `#[cfg(test)]` injection point in `dns::resolve` that returns scripted responses on successive calls. Test mocks the resolver to return a safe IP on the first call (which the SSRF check accepts) and a dangerous IP (e.g. `127.0.0.1`) on the second. Then issue a request and assert that the dial went to the *first* IP — the validated one — not the second. A regression that passes `host: String` to connect and re-resolves there would fail this test loudly. **Small.** - **`Connection: close` pool-eviction test** (deferred from PR4 #480) Today's integration test server (`http_client/integration_tests.rs::spawn_test_server`) only emits `Connection: keep-alive`. Would catch a future regression where the response's `keep_alive=false` is silently ignored on the pool release path. Approach: add a `CloseOnce` variant to `ServerMode` that emits `Connection: close` and closes the socket after one response. Test issues two requests to the same host and asserts `accept_count == 2` (proving the pool didn't try to reuse a doomed entry). ~15 lines on top of the existing `ServerMode` enum. **Small.** - **Happy-path TLS integration test with same-process rustls server** (deferred from PR3 #479) > "If you can stand up a same-process rustls server with a self-signed cert and a custom `RootCertStore` in the test (it's ~30 lines of glue), the happy-path coverage closes that gap without external network. Optional — but the longer the success path goes unexercised the more room for handshake-shape regressions to slip in." > — PR3 review PR4's HTTPS coverage exercises real-world TLS implicitly (manual verification against `https://example.com`), but a hermetic test against a same-process rustls server with a fixture self-signed cert + custom `RootCertStore` would pin the handshake-shape against rustls upgrades. Needs: - Fixture cert + key files in `tests/fixtures/` or generated at test time. - A `cfg(test)` path that lets the runtime use a non-default `RootCertStore` (custom CA) instead of `webpki-roots`. - Same-process server glue using rustls server-side. **Medium.** ### Rough scope One day. One PR. Mostly test code; the only production change is whatever harness needs to land for the rebinding test (probably a `#[cfg(test)]` injection point in `dns::resolve`) and the `cfg(test)` trust-root override for the TLS happy-path test.

navicore referenced this issue from a commit 2026-05-14 12:25:11 +00:00

● All three test anchors landed. CI fully green.

navicore referenced this issue 2026-05-14 12:26:17 +00:00

● All three test anchors landed. CI fully green. #487

navicore commented 2026-05-14 12:27:51 +00:00

Author

Owner

Copy link

#487

https://git.navicore.tech/navicore/patch-seq/pulls/487

navicore closed this issue 2026-05-14 12:27:51 +00:00

navicore referenced this issue from a pull request that will close it, 2026-05-14 12:36:07 +00:00

● All three test anchors landed. CI fully green. #487

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

renovate/sha2-0.x

renovate/rcgen-0.x

renovate/rand-0.x

renovate/pbkdf2-0.x

renovate/hmac-0.x

v7.6.0

v7.5.7

v7.5.6

v7.4.5

v7.4.4

v7.4.3

v7.4.2

v7.4.1

v7.4.0

v7.3.0

v7.2.1

v7.2.0

v7.1.0

v7.0.0

v6.6.2

v6.6.1

v6.6.0

v6.5.3

v6.5.2

v6.5.1

v6.5.0

v6.4.2

v6.4.1

v6.4.0

v6.3.0

v6.2.2

v6.2.1

v6.2.0

v6.1.2

v6.1.1

v6.1.0

v6.0.0

v5.7.1

v5.7.0

v5.6.5

v5.6.4

v5.6.3

v5.6.2

v5.6.1

v5.6.0

v5.5.1

v5.5.0

v5.4.1

v5.4.0

v5.3.0

v5.2.1

v5.2.0

v5.1.1

v5.1.0

v5.0.0

v4.2.1

v4.2.0

v4.1.0

v4.0.3

v4.0.2

v4.0.1

v4.0.0

v3.1.0

v3.0.6

v3.0.5

v3.0.4

v3.0.3

v3.0.2

v3.0.1

v3.0.0

v2.3.3

v2.3.2

v2.3.1

v2.3.0

v2.2.0

v2.1.0

v2.0.1

v2.0.0

v1.1.1

v1.1.0

v1.0.6

v1.0.5

v1.0.4

v1.0.3

v1.0.2

v1.0.1

v1.0.0

v0.21.0

v0.20.1

v0.20.0

v0.19.12

v0.19.11

v0.19.10

v0.19.9

v0.19.8

v0.19.7

v0.19.6

v0.19.5

v0.19.4

v0.19.3

v0.19.2

v0.19.1

v0.19.0

v0.18.8

v0.18.7

v0.18.6

v0.18.5

v0.18.4

v0.18.3

v0.18.2

v0.18.1

v0.18.0

v0.17.0

v0.16.0

v0.15.0

v0.14.1

v0.14.0

v0.13.0

v0.12.3

v0.12.2

v0.12.1

v0.12.0

v0.11.0

v0.10.7

v0.10.6

v0.10.5

v0.10.4

v0.10.3

v0.10.2

v0.10.1

v0.10.0

v0.9.1

v0.9.0

v0.8.9

v0.8.8

v0.8.7

v0.8.6

v0.8.5

v0.8.4

v0.8.3

v0.8.2

v0.8.1

v0.8.0

v0.7.2

v0.7.1

v0.7.0

v0.6.4

v0.6.3

v0.6.2

v0.6.1

v0.6.0

v0.5.5

v0.5.4

v0.5.3

v0.5.2

v0.5.1

v0.5.0

v0.4.3

v0.4.2

v0.4.1

v0.4.0

v0.3.4

v0.3.3

v0.3.2

v0.3.1

Labels

Clear labels   

bug

Something isn't working

  

dependencies

Pull requests that update a dependency file

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

refactor

Code refactoring and cleanup

  

rust

Pull requests that update rust code

  

technical-debt

Technical debt to address

  

wontfix

This will not be worked on

No labels

bug

dependencies

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

refactor

rust

technical-debt

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

navicore/patch-seq#483

No description provided.