Harden 36 reachable security findings across runtime, install, parsers, http #30722
Claude / Claude Code Review
completed
May 14, 2026 in 38m 18s
Code review found 1 important issue
Found 6 candidates, confirmed 2. See review comments for details.
Details
| Severity | Count |
|---|---|
| 🔴 Important | 1 |
| 🟡 Nit | 1 |
| 🟣 Pre-existing | 0 |
| Severity | File:Line | Issue |
|---|---|---|
| 🔴 Important | src/http/HTTPContext.rs:923-937 |
Strict caller can coalesce onto lax pending H2 connect |
| 🟡 Nit | src/runtime/socket/Listener.rs:1425-1440 |
Old client Handlers leak (and new-handlers count underflow) on reconnect-from-callback |
Annotations
Check failure on line 937 in src/http/HTTPContext.rs
claude / Claude Code Review
Strict caller can coalesce onto lax pending H2 connect
Fix #83 guards `existing_socket` and the `active_h2_sessions` loop above, but the `pending_h2_connects` coalescing loop immediately below has no equivalent check — `PendingConnect::matches` only compares hostname/port/ssl_config, and `reject_unauthorized` lives on `client.flags` independently of `tls_props`. A strict (`rejectUnauthorized=true`) request arriving while a lax leader's TLS handshake is in flight gets pushed into `pc.waiters`, and `resolve_pending_h2` then `enqueue`s it onto a sessio
Check warning on line 1440 in src/runtime/socket/Listener.rs
claude / Claude Code Review
Old client Handlers leak (and new-handlers count underflow) on reconnect-from-callback
This trades the UAF for a per-reconnect leak: when `active_connections > 0` the old `Handlers` is correctly kept alive, but `prev.handlers` is still overwritten with the new pointer — so when `on_close`'s cleanup guard later runs `NewSocket::mark_inactive`, line socket_body.rs:1094 re-reads `self.get_handlers()` and decrements the **new** handlers (which start at `active_connections == 0` → underflow) instead of the old one, leaving the old `Handlers` orphaned at count 1 forever along with its `
Loading