Skip to content

fix(node,gossip): route gossip HTTP through the no-redirect client (#93)#140

Merged
kevincodex1 merged 1 commit into
mainfrom
fix/gossip-task-ssrf-redirect
Jul 3, 2026
Merged

fix(node,gossip): route gossip HTTP through the no-redirect client (#93)#140
kevincodex1 merged 1 commit into
mainfrom
fix/gossip-task-ssrf-redirect

Conversation

@beardthelion

@beardthelion beardthelion commented Jul 1, 2026

Copy link
Copy Markdown
Collaborator

Closes #93.

gossip_task built its own reqwest::Client::new(), which follows up to 10 redirects by default, and used it for the bootstrap announce and the periodic peer /health ping. A peer host (public at announce time per is_public_http_url) can answer /health with a 302 pointing at a link-local or internal address, and the node follows it. So an unauthenticated announce becomes a blind SSRF, one outbound request to an attacker-chosen internal target per gossip cycle.

The fix reuses the shared state.http_client, which is already built with redirect::Policy::none(), the same guard sync.rs and the announce fan-out got in #78. The ping is extracted into ping_peer_health so the redirect behavior is testable, and the shared client's construction is pulled into build_http_client so the tests exercise the exact client the node runs rather than a hand-rolled copy.

Tests: a 302 to an internal mock (registered expect(0)) is not followed, a 200 is healthy, a connection error is unhealthy. The redirect guard is load-bearing against the production builder (flipping build_http_client to follow redirects makes it fail). Full crate suite green, clippy -D warnings clean.

One thing not covered by a test: that gossip's call site reads state.http_client rather than a fresh client. Driving the real gossip loop needs a mock peer, but mockito binds to 127.0.0.1 and both upsert_peer and list_peers reject non-public hosts, so a local mock never enters the loop. That call site is guarded by a comment against reintroducing Client::new(); the redirect policy itself is test-bound via build_http_client.

Summary by CodeRabbit

  • Bug Fixes
    • Improved outbound network handling by reusing a shared HTTP client with a 10-second timeout and redirects disabled.
    • Peer health checks are now more strict: only 2xx responses count as healthy; connection errors are treated as unhealthy.
    • Health check behavior avoids any redirect-based bypasses.
  • Tests
    • Added unit tests covering redirect behavior and connection failure scenarios for peer health checking.

gossip_task built its own reqwest::Client::new(), whose default redirect
policy follows up to 10 redirects, and used it for the bootstrap announce
and the periodic peer /health ping. A peer host (public at announce time,
per is_public_http_url) could answer /health with 302 Location:
http://169.254.169.254/... and the node would follow it into cloud
metadata or internal addresses. Blind SSRF: only request status feeds
mark_peer_ping.

Reuse the shared state.http_client (Policy::none, already on AppState),
matching sync.rs and the announce fan-out hardened in #78. Extract
ping_peer_health so the redirect-not-followed behavior is covered by a
mockito test (302 to an internal target registered expect(0), asserted
not hit).
@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 52b8c7de-ca80-406d-854f-98f451fe269d

📥 Commits

Reviewing files that changed from the base of the PR and between cd4680e and 1b24afd.

📒 Files selected for processing (1)
  • crates/gitlawb-node/src/main.rs

📝 Walkthrough

Walkthrough

This PR centralizes HTTP client construction via a new build_http_client() helper and reuses the shared client for gossip traffic and peer health checks. It also adds tests covering redirect handling and request failures.

Changes

SSRF hardening of outbound gossip HTTP client

Layer / File(s) Summary
Shared HTTP client helper and AppState wiring
crates/gitlawb-node/src/main.rs
Adds build_http_client() configuring a 10s timeout and Policy::none() redirect policy; AppState.http_client is now built via this helper.
gossip_task and ping_peer_health reuse shared client
crates/gitlawb-node/src/main.rs
gossip_task reuses state.http_client instead of creating a fresh reqwest::Client; the periodic ping loop calls a new ping_peer_health() helper that GETs /health with the no-redirect client and maps 2xx responses to healthy, errors to unhealthy.
SSRF regression tests for ping_peer_health
crates/gitlawb-node/src/main.rs
Adds gossip_ssrf_tests with mockito-based async tests: 302 with internal Location is not followed, 200 counts as healthy, and connection error counts as unhealthy.

Estimated code review effort: 2 (Simple) | ~15 minutes

Sequence Diagram(s)

sequenceDiagram
    participant gossip_task
    participant ping_peer_health
    participant state.http_client
    participant peer.health endpoint

    gossip_task->>ping_peer_health: ping_peer_health(&client, peer.http_url)
    ping_peer_health->>state.http_client: GET {peer.http_url}/health
    state.http_client->>peer.health endpoint: HTTP request
    peer.health endpoint-->>state.http_client: 200 or 302 Location
    state.http_client-->>ping_peer_health: response or error
    ping_peer_health-->>gossip_task: is_success() boolean
Loading

Possibly related PRs

  • Gitlawb/node#78: Prior PR introduced the shared client's Policy::none() redirect hardening that this PR extends to gossip_task and ping_peer_health.
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly describes the main change: routing gossip HTTP through the shared no-redirect client.
Description check ✅ Passed The description covers the problem, fix, tests, and reviewer caveat, though it doesn't follow the template headings exactly.
Linked Issues check ✅ Passed The PR reuses the shared no-redirect client for gossip announce and peer health checks, matching #93's SSRF fix.
Out of Scope Changes check ✅ Passed Changes stay focused on the gossip HTTP client refactor and related tests, with no unrelated scope visible.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/gossip-task-ssrf-redirect

Comment @coderabbitai help to get the list of available commands.

@beardthelion beardthelion added crate:node gitlawb-node — the serving node and REST API kind:bug Defect fix — wrong or unsafe behavior labels Jul 1, 2026
@beardthelion

Copy link
Copy Markdown
Collaborator Author

@coderabbitai full review

@coderabbitai

coderabbitai Bot commented Jul 1, 2026

Copy link
Copy Markdown
✅ Action performed

Full review finished.

@jatmn jatmn left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the contribution. I do not see any actionable issues from my review.

@kevincodex1 LGTM

@kevincodex1 kevincodex1 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@kevincodex1 kevincodex1 merged commit 563c456 into main Jul 3, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

crate:node gitlawb-node — the serving node and REST API kind:bug Defect fix — wrong or unsafe behavior

Projects

None yet

Development

Successfully merging this pull request may close these issues.

gossip_task uses a redirect-following client, enabling SSRF on the peer-ping path

3 participants