From dd7b12a97dfd9454b5582250f138c4d6b2e82a86 Mon Sep 17 00:00:00 2001 From: Nikketryhard Date: Sat, 14 Feb 2026 15:49:39 -0600 Subject: [PATCH] fix(#2): cap domain cert cache at 64 entries --- KNOWN_ISSUES.md | 6 +++--- src/mitm/ca.rs | 5 ++++- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/KNOWN_ISSUES.md b/KNOWN_ISSUES.md index 229431b..b926bf4 100644 --- a/KNOWN_ISSUES.md +++ b/KNOWN_ISSUES.md @@ -14,13 +14,13 @@ The MITM proxy matches intercepted API traffic to cascade IDs by scanning for `m --- -### 2. Domain Certificate Cache Is Unbounded +### ~~2. Domain Certificate Cache Is Unbounded~~ ✅ FIXED **File:** `src/mitm/ca.rs` — `domain_cache` -The `domain_cache` (`HashMap>`) grows without bound. Each unique domain gets a cached entry containing a full `ServerConfig` with an RSA key pair. In practice, only ~5–10 domains are intercepted so this is unlikely to matter, but there's no eviction. +~~The `domain_cache` (`HashMap>`) grows without bound.~~ -**Fix:** Set a max cache size (e.g., 100 entries) with LRU eviction, or use a TTL since leaf certs are generated with a 1-year validity. +**Fixed:** Added a 64-entry cap with clear-on-overflow. In practice only ~5-10 domains are ever intercepted, so this is a safety valve. Full LRU would be overkill. --- diff --git a/src/mitm/ca.rs b/src/mitm/ca.rs index eda8edf..000b656 100644 --- a/src/mitm/ca.rs +++ b/src/mitm/ca.rs @@ -207,9 +207,12 @@ impl MitmCa { let config = Arc::new(config); - // Cache it + // Cache it (cap at 64 entries — in practice only ~5-10 domains are seen) { let mut cache = self.domain_cache.write().await; + if cache.len() >= 64 { + cache.clear(); + } cache.insert(domain.to_string(), config.clone()); }