Skip to content

fix(config): empty allowed-hosts guard, fail-fast port, 0600 secrets, no request-path panics#16

Merged
sebyx07 merged 1 commit into
mainfrom
fix/config-robustness
Jul 2, 2026
Merged

fix(config): empty allowed-hosts guard, fail-fast port, 0600 secrets, no request-path panics#16
sebyx07 merged 1 commit into
mainfrom
fix/config-robustness

Conversation

@sebyx07

@sebyx07 sebyx07 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Config/startup/robustness fixes from the bug hunt, all with tests:

  1. Empty MCP_SSH_ALLOWED_HOSTS disabled the host guard entirely. Environment=MCP_SSH_ALLOWED_HOSTS= in a unit file (or allowed_hosts = []) produced an empty allowlist, which rmcp treats as allow all hosts — DNS-rebinding guard silently off, worse than unset. Empty-after-trim now behaves exactly like unset: loopback default plus the warning.
  2. Invalid MCP_SSH_PORT silently ignored. 8080x/70000 fell through .ok() and the server bound the default port while the operator believed they'd moved it. Now fails fast, consistent with MCP_SSH_BIND.
  3. set-auth wrote the plaintext password world-readable first. fs::write created the file umask-default (0644), chmod 600 only afterwards — and a chmod failure was discarded (let _), leaving it 0644 forever. The file is now created 0600 from the first byte and the tighten-existing chmod propagates errors.
  4. Admin db_path() swallowed config errors. An unreadable/broken config file made mcp-ssh jobs/job kill/sessions silently operate on the default DB path while the live server used the configured one ("no jobs", kills that do nothing). Errors now propagate.
  5. Db::call could turn one bug into a full outage. expect() on the lock + join meant a single panicking closure poisoned the mutex and every subsequent call — all bearer validation and job persistence — panicked until restart. Poisoned locks are recovered and a closure panic returns an error to its caller alone.
  6. Admin kill's pgid as u32 wrapped a corrupt/negative row value into a real (wrong) process group; now rejected via try_from.

🤖 Generated with Claude Code

… no request-path panics

- MCP_SSH_ALLOWED_HOSTS set-but-empty (or allowed_hosts = [] / blank
  entries in the file) fed rmcp an empty allowlist, which it reads as
  allow-ALL hosts — the DNS-rebinding guard silently OFF, worse than
  unset. Empty now behaves exactly like unset: loopback default + warn.
- Invalid MCP_SSH_PORT (8080x, 70000) was silently ignored, leaving the
  server on the default port while the operator believed it moved. Now
  fails fast like an invalid MCP_SSH_BIND.
- set-auth created the config file umask-default (0644) with the
  plaintext password and only chmodded after — and a chmod failure was
  silently discarded, leaving it world-readable forever. Now created
  0600 from the first byte; the tighten-existing chmod propagates errors.
- config::db_path() swallowed read/parse errors (unwrap_or_default),
  silently pointing admin commands at the DEFAULT database while the
  server used the configured one. Errors now propagate.
- Db::call had expect() on the request path: one panicking closure
  poisoned the mutex and turned every later call (all bearer validation,
  all job writes) into a panic until restart. Poisoned locks are
  recovered; a closure panic returns an error to its caller alone.
- Admin job kill cast the stored pgid i64 -> u32 with as, wrapping a
  corrupt/negative row into a real (wrong) process group to signal.
  Now rejected with a message.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Warning

Review limit reached

You’ve reached a temporary PR review limit under our Fair Usage Limits Policy.

Your recent review volume is higher than typical usage, so adaptive limits are currently applied.

Next review available in: 34 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: e2d0b44d-68f6-4de5-9323-ba648a516623

📥 Commits

Reviewing files that changed from the base of the PR and between d8b41a0 and 1545144.

📒 Files selected for processing (4)
  • src/admin.rs
  • src/config.rs
  • src/db.rs
  • src/main.rs
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/config-robustness

Comment @coderabbitai help to get the list of available commands.

@sebyx07 sebyx07 enabled auto-merge (squash) July 2, 2026 18:35
@sebyx07

sebyx07 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
✅ Action performed

Review finished.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@sebyx07

sebyx07 commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai approve

@sebyx07 sebyx07 merged commit 88f4ee2 into main Jul 2, 2026
5 checks passed
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown
✅ Action performed

Comments resolved and changes approved.

@sebyx07 sebyx07 deleted the fix/config-robustness branch July 2, 2026 19:02
@sebyx07 sebyx07 mentioned this pull request Jul 2, 2026
sebyx07 added a commit that referenced this pull request Jul 2, 2026
Version bump for the v1.3.0 release: GlitchTip error tracking (#12) +
bug-fix PRs #13#16.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-authored-by: Claude Fable 5 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant