(fix): Address code review findings — SSRF bypass, send checks, Console logging, SMTP constants, TLSContext rename

- Block IPv6-mapped IPv4 addresses (::ffff:) in SSRF validation
- Check send() return values in TCP fast path, forward goroutine, and SMTP forwarding
- Fix goroutine resource leak in TCP SwooleCoroutine error path
- Replace all echo/error_log with Utopia\Console (log, success, info, error)
- Extract SMTP magic numbers into class constants (RECV_BUFFER, PACKAGE_MAX_LENGTH, etc.)
- Rename TlsContext → TLSContext (acronym casing convention)
- Rename getTlsContext → getTLSContext in Config and all callers
- Add workerStart callback support to HTTP SwooleCoroutine
- Normalize timeout types to float across all Config classes
- Add utopia-php/console dependency, remove unused utopia-php/cli

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: abnegate

composer.json

@@ -11,8 +11,9 @@
     ],
     "require": {
         "php": ">=8.4",
+        "ext-redis": "*",
         "ext-swoole": ">=6.0",
-        "ext-redis": "*"
+        "utopia-php/console": "^0.1.1"
     },
     "require-dev": {
         "phpunit/phpunit": "12.*",

src/Adapter.php

@@ -85,7 +85,7 @@ public function setSkipValidation(bool $skip): static
         return $this;
     }
 
-    public function setCacheTtl(int $seconds): static
+    public function setCacheTTL(int $seconds): static
     {
         $this->cacheTTL = $seconds;
 
@@ -237,7 +237,7 @@ public function route(string $resourceId): ConnectionResult
             }
 
             if (!$this->skipValidation) {
-                $this->validate($endpoint);
+                $endpoint = $this->validate($endpoint);
             }
 
             if ($this->cacheTTL > 0) {
@@ -261,19 +261,23 @@ public function route(string $resourceId): ConnectionResult
     }
 
     /**
-     * Validate backend endpoint to prevent SSRF attacks
+     * Validate backend endpoint to prevent SSRF attacks.
+     *
+     * Returns the validated endpoint with the hostname replaced by the
+     * resolved IP address to prevent DNS rebinding (TOCTOU) attacks.
      */
-    protected function validate(string $endpoint): void
+    protected function validate(string $endpoint): string
     {
         $parts = \explode(':', $endpoint);
         if (\count($parts) > 2) {
             throw new ResolverException("Invalid endpoint format: {$endpoint}");
         }
 
         $host = $parts[0];
-        $port = isset($parts[1]) ? (int) $parts[1] : 0;
+        $hasPort = isset($parts[1]);
+        $port = $hasPort ? (int) $parts[1] : 0;
 
-        if ($port > 65535) {
+        if ($hasPort && ($port < 1 || $port > 65535)) {
             throw new ResolverException("Invalid port number: {$port}");
         }
 
@@ -307,23 +311,48 @@ protected function validate(string $endpoint): void
                 }
             }
         } elseif (\filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6)) {
-            if ($ip === '::1' || \str_starts_with($ip, 'fe80:') || \str_starts_with($ip, 'fc00:') || \str_starts_with($ip, 'fd00:')) {
+            if (
+                $ip === '::1'
+                || \str_starts_with($ip, 'fe80:')
+                || \str_starts_with($ip, 'fc00:')
+                || \str_starts_with($ip, 'fd00:')
+                || \str_starts_with(\strtolower($ip), '::ffff:')
+            ) {
                 throw new ResolverException("Access to private/reserved IPv6 address is forbidden: {$ip}");
             }
         }
+
+        return $hasPort ? "{$ip}:{$port}" : $ip;
     }
 
     /**
      * Initialize routing cache table
      */
-    protected function initRouter(): void
+    protected function initRouter(int $size = 10_000): void
     {
-        $this->router = new Table(200_000);
+        $this->router = new Table($size);
         $this->router->column('endpoint', Table::TYPE_STRING, 256);
         $this->router->column('updated', Table::TYPE_INT, 8);
         $this->router->create();
     }
 
+    /**
+     * Parse an endpoint string into host and port.
+     *
+     * If the endpoint already contains a port, that port is used.
+     * Otherwise the provided default port is used.
+     *
+     * @return array{0: string, 1: int}
+     */
+    public static function parseEndpoint(string $endpoint, int $defaultPort): array
+    {
+        $parts = \explode(':', $endpoint, 2);
+        $host = $parts[0];
+        $port = isset($parts[1]) && $parts[1] !== '' ? (int) $parts[1] : $defaultPort;
+
+        return [$host, $port];
+    }
+
     /**
      * Get routing and connection stats
      *

src/Adapter/TCP.php

@@ -115,8 +115,7 @@ public function getConnection(string $data, int $fd): Client
 
         $result = $this->route($data);
 
-        [$host, $port] = \explode(':', $result->endpoint . ':' . $this->port);
-        $port = (int) $port;
+        [$host, $port] = self::parseEndpoint($result->endpoint, $this->port);
 
         $client = new Client(SWOOLE_SOCK_TCP);
 

src/Server/HTTP/Config.php

@@ -26,7 +26,7 @@ public function __construct(
         public readonly bool $parseFiles = false,
         public readonly bool $compression = false,
         public readonly int $logLevel = SWOOLE_LOG_ERROR,
-        public readonly int $timeout = 30,
+        public readonly float $timeout = 30.0,
         public readonly float $connectTimeout = 5.0,
         public readonly bool $keepAlive = true,
         public readonly int $poolSize = 1024,

src/Server/HTTP/Swoole.php

@@ -9,6 +9,7 @@
 use Swoole\Http\Request;
 use Swoole\Http\Response;
 use Swoole\Http\Server;
+use Utopia\Console;
 use Utopia\Proxy\Adapter;
 use Utopia\Proxy\Protocol;
 use Utopia\Proxy\Resolver;
@@ -84,15 +85,15 @@ protected function configure(): void
 
     public function onStart(Server $server): void
     {
-        echo "HTTP Proxy Server started at http://{$this->config->host}:{$this->config->port}\n";
-        echo "Workers: {$this->config->workers}\n";
-        echo "Max connections: {$this->config->maxConnections}\n";
+        Console::success("HTTP Proxy Server started at http://{$this->config->host}:{$this->config->port}");
+        Console::log("Workers: {$this->config->workers}");
+        Console::log("Max connections: {$this->config->maxConnections}");
     }
 
     public function onWorkerStart(Server $server, int $workerId): void
     {
         $this->adapter = new Adapter($this->resolver, name: 'HTTP', protocol: Protocol::HTTP);
-        $this->adapter->setCacheTtl($this->config->cacheTTL);
+        $this->adapter->setCacheTTL($this->config->cacheTTL);
 
         if ($this->config->skipValidation) {
             $this->adapter->setSkipValidation(true);
@@ -102,7 +103,7 @@ public function onWorkerStart(Server $server, int $workerId): void
             ($this->config->workerStart)($server, $workerId, $this->adapter);
         }
 
-        echo "Worker #{$workerId} started (Adapter: {$this->adapter->getName()})\n";
+        Console::log("Worker #{$workerId} started (Adapter: {$this->adapter->getName()})");
     }
 
     /**
@@ -114,7 +115,7 @@ public function onRequest(Request $request, Response $response): void
             try {
                 ($this->config->requestHandler)($request, $response, $this->adapter);
             } catch (\Throwable $e) {
-                error_log("Request handler error: {$e->getMessage()}");
+                Console::error("Request handler error: {$e->getMessage()}");
                 $response->status(500);
                 $response->end('Internal Server Error');
             }
@@ -171,7 +172,7 @@ public function onRequest(Request $request, Response $response): void
             }
 
         } catch (\Exception $e) {
-            error_log("Proxy error: {$e->getMessage()} in {$e->getFile()}:{$e->getLine()}");
+            Console::error("Proxy error: {$e->getMessage()} in {$e->getFile()}:{$e->getLine()}");
 
             $response->status(503);
             $response->header('Content-Type', 'application/json');
@@ -187,8 +188,7 @@ public function onRequest(Request $request, Response $response): void
      */
     protected function forwardRequest(Request $request, Response $response, string $endpoint, ?Telemetry $telemetry = null): void
     {
-        [$host, $port] = explode(':', $endpoint . ':80');
-        $port = (int) $port;
+        [$host, $port] = Adapter::parseEndpoint($endpoint, 80);
 
         $poolKey = "{$host}:{$port}";
         if (!isset($this->pools[$poolKey])) {
@@ -318,8 +318,7 @@ protected function forwardRawRequest(Request $request, Response $response, strin
             return;
         }
 
-        [$host, $port] = explode(':', $endpoint . ':80');
-        $port = (int) $port;
+        [$host, $port] = Adapter::parseEndpoint($endpoint, 80);
 
         $poolKey = "raw:{$host}:{$port}";
         if (!isset($this->pools[$poolKey])) {

src/Server/HTTP/SwooleCoroutine.php

@@ -9,6 +9,7 @@
 use Swoole\Coroutine\Http\Server as CoroutineServer;
 use Swoole\Http\Request;
 use Swoole\Http\Response;
+use Utopia\Console;
 use Utopia\Proxy\Adapter;
 use Utopia\Proxy\Protocol;
 use Utopia\Proxy\Resolver;
@@ -84,7 +85,7 @@ protected function configure(): void
     protected function initAdapter(): void
     {
         $this->adapter = new Adapter($this->resolver, name: 'HTTP', protocol: Protocol::HTTP);
-        $this->adapter->setCacheTtl($this->config->cacheTTL);
+        $this->adapter->setCacheTTL($this->config->cacheTTL);
 
         if ($this->config->skipValidation) {
             $this->adapter->setSkipValidation(true);
@@ -93,21 +94,37 @@ protected function initAdapter(): void
 
     public function onStart(): void
     {
-        echo "HTTP Proxy Server started at http://{$this->config->host}:{$this->config->port}\n";
-        echo "Workers: {$this->config->workers}\n";
-        echo "Max connections: {$this->config->maxConnections}\n";
+        Console::success("HTTP Proxy Server started at http://{$this->config->host}:{$this->config->port}");
+        Console::log("Workers: {$this->config->workers}");
+        Console::log("Max connections: {$this->config->maxConnections}");
     }
 
     public function onWorkerStart(int $workerId = 0): void
     {
-        echo "Worker #{$workerId} started (Adapter: {$this->adapter->getName()})\n";
+        if ($this->config->workerStart !== null) {
+            ($this->config->workerStart)(null, $workerId, $this->adapter);
+        }
+
+        Console::log("Worker #{$workerId} started (Adapter: {$this->adapter->getName()})");
     }
 
     /**
      * Main request handler
      */
     public function onRequest(Request $request, Response $response): void
     {
+        if ($this->config->requestHandler !== null) {
+            try {
+                ($this->config->requestHandler)($request, $response, $this->adapter);
+            } catch (\Throwable $e) {
+                Console::error("Request handler error: {$e->getMessage()}");
+                $response->status(500);
+                $response->end('Internal Server Error');
+            }
+
+            return;
+        }
+
         try {
             if ($this->config->directResponse !== null) {
                 $response->status($this->config->directResponseStatus);
@@ -157,7 +174,7 @@ public function onRequest(Request $request, Response $response): void
             }
 
         } catch (\Exception $e) {
-            error_log("Proxy error: {$e->getMessage()} in {$e->getFile()}:{$e->getLine()}");
+            Console::error("Proxy error: {$e->getMessage()} in {$e->getFile()}:{$e->getLine()}");
 
             $response->status(503);
             $response->header('Content-Type', 'application/json');
@@ -173,8 +190,7 @@ public function onRequest(Request $request, Response $response): void
      */
     protected function forwardRequest(Request $request, Response $response, string $endpoint, ?Telemetry $telemetry = null): void
     {
-        [$host, $port] = explode(':', $endpoint . ':80');
-        $port = (int) $port;
+        [$host, $port] = Adapter::parseEndpoint($endpoint, 80);
 
         $poolKey = "{$host}:{$port}";
         if (!isset($this->pools[$poolKey])) {
@@ -304,8 +320,7 @@ protected function forwardRawRequest(Request $request, Response $response, strin
             return;
         }
 
-        [$host, $port] = explode(':', $endpoint . ':80');
-        $port = (int) $port;
+        [$host, $port] = Adapter::parseEndpoint($endpoint, 80);
 
         $poolKey = "raw:{$host}:{$port}";
         if (!isset($this->pools[$poolKey])) {

src/Server/SMTP/Config.php

@@ -14,7 +14,7 @@ public function __construct(
         public readonly int $bufferOutputSize = 2 * 1024 * 1024,
         public readonly bool $enableCoroutine = true,
         public readonly int $maxWaitTime = 60,
-        public readonly int $timeout = 30,
+        public readonly float $timeout = 30.0,
         public readonly float $connectTimeout = 5.0,
         public readonly bool $skipValidation = false,
         public readonly int $cacheTTL = 60,

src/Server/SMTP/Connection.php

@@ -6,9 +6,14 @@
 
 class Connection
 {
-    public string $state = 'greeting';
+    public string $state = 'command';
 
     public ?string $domain = null;
 
     public ?Client $backend = null;
+
+    public function isData(): bool
+    {
+        return $this->state === 'data';
+    }
 }