Skip to content

Fix misc findings from reaudit #376

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jclapis merged 13 commits into from
Sep 30, 2025
Merged

Fix misc findings from reaudit #376

jclapis merged 13 commits into from
Sep 30, 2025

Conversation

@jclapis
Copy link
Collaborator

@jclapis jclapis commented Sep 18, 2025
edited
Loading

Work In Progress

This fixes several smaller miscellaneous findings from the reaudit assessment.

CBST2-01

  • Added path / route to the JWT claims to improve resilience against replaying.

CBST2-04

  • Added rate-limit flagging to admin route JWT auth checking.
  • handle_reload() now updates the state atomically once all of the code has succeeded, and doesn't update it at all if any failures occur.

CBST2-06

  • JWT auth checking now attempts to retrieve the rightmost client IP from various proxy forwarding headers, then the falls back to the direct connection IP.
  • Fixed a race that occurred due to differing locks on JWT auth failure reads and writes. This was reverted due to performance considerations with locking the auth check for each request.
  • (Done in Add a task to clean up expired JWT failure rate limits  #380) Added a task to periodically sweep and clean up expired JWT authorization failures.

CBST2-14

  • Renamed a misnamed variable.

@jclapis jclapis self-assigned this Sep 18, 2025
@jclapis jclapis added pbs Pbs module / Builder API core Core part of the repo (signer, modules interface) signer Signer module labels Sep 18, 2025
@jclapis jclapis marked this pull request as ready for review September 22, 2025 12:41
@jclapis jclapis changed the title [WIP] - Fix misc findings from reaudit Fix misc findings from reaudit Sep 22, 2025
ltitanb
ltitanb requested changes Sep 30, 2025
View reviewed changes
crates/signer/src/service.rs Outdated
Comment on lines 98 to 100
jwts: Arc::new(RwLock::new(config.mod_signing_configs)),
admin_secret: Arc::new(RwLock::new(config.admin_secret)),
jwt_auth_failures: Arc::new(RwLock::new(HashMap::new())),
Copy link
Collaborator

@ltitanb ltitanb Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i dont think we should use tokio RwLock here, in general I'd much rather take a guard lock twice than hold it for long

Copy link
Collaborator Author

@jclapis jclapis Sep 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Discussed offline and reverted in a29a366 due to performance reasons.

@jclapis jclapis merged commit d566dea into sigp-audit-fixes Sep 30, 2025
2 checks passed
@jclapis jclapis deleted the misc-reaudit-fixes branch September 30, 2025 21:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ManuelBilbao ManuelBilbao ManuelBilbao approved these changes

@ltitanb ltitanb ltitanb approved these changes

Assignees

@jclapis jclapis

Labels

core Core part of the repo (signer, modules interface) pbs Pbs module / Builder API signer Signer module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jclapis @ManuelBilbao @ltitanb