Skip to content

fixes to policy reload auth & SSRF whitelist for local services.#29

Merged
rcholic merged 1 commit intomainfrom
issue_fix1
Mar 13, 2026
Merged

fixes to policy reload auth & SSRF whitelist for local services.#29
rcholic merged 1 commit intomainfrom
issue_fix1

Conversation

@rcholic
Copy link
Contributor

@rcholic rcholic commented Mar 13, 2026
edited
Loading

Summary of Fixes for GitHub Issues #26 and #27

Issue #26: Unauthenticated /policy/reload Endpoint

Problem: The /policy/reload endpoint accepted unauthenticated requests, allowing any local process to replace the policy with a permissive one.

Solution:

  • Added reload_secret and disable_reload fields to PolicyConfig in src/config.rs
  • Added policy_reload_secret and policy_reload_disabled fields to AppState in src/http/mod.rs
  • Updated policy_reload_handler to require Authorization: Bearer <token> when secret is configured
  • Made /policy/reload route conditional - returns 404 when disable_reload is true

Configuration:

Option CLI Flag Environment Variable
Reload secret --policy-reload-secret PREDICATE_POLICY_RELOAD_SECRET
Disable endpoint --disable-policy-reload PREDICATE_DISABLE_POLICY_RELOAD

TOML Config:

[policy]
reload_secret = "your-secret-here"  # Require bearer token
disable_reload = false               # Set true to disable entirely

@rcholic rcholic merged commit 238ddab into main Mar 13, 2026
10 checks passed
@rcholic rcholic deleted the issue_fix1 branch March 13, 2026 02:36
@rcholic rcholic mentioned this pull request Mar 13, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rcholic