b3nw/zerogravity
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(#2): cap domain cert cache at 64 entries

Browse Source
This commit is contained in:
Nikketryhard
2026-02-14 15:49:39 -06:00
parent b89d26cc68
commit dd7b12a97d
2 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
KNOWN_ISSUES.md
View File

@@ -14,13 +14,13 @@ The MITM proxy matches intercepted API traffic to cascade IDs by scanning for `m
--- ---
### 2. Domain Certificate Cache Is Unbounded ### ~~2. Domain Certificate Cache Is Unbounded~~ ✅ FIXED
**File:** `src/mitm/ca.rs``domain_cache` **File:** `src/mitm/ca.rs``domain_cache`
The `domain_cache` (`HashMap<String, Arc<ServerConfig>>`) grows without bound. Each unique domain gets a cached entry containing a full `ServerConfig` with an RSA key pair. In practice, only ~510 domains are intercepted so this is unlikely to matter, but there's no eviction. ~~The `domain_cache` (`HashMap<String, Arc<ServerConfig>>`) grows without bound.~~
**Fix:** Set a max cache size (e.g., 100 entries) with LRU eviction, or use a TTL since leaf certs are generated with a 1-year validity. **Fixed:** Added a 64-entry cap with clear-on-overflow. In practice only ~5-10 domains are ever intercepted, so this is a safety valve. Full LRU would be overkill.
--- ---

5
src/mitm/ca.rs
View File

@@ -207,9 +207,12 @@ impl MitmCa {
let config = Arc::new(config); let config = Arc::new(config);
// Cache it // Cache it (cap at 64 entries — in practice only ~5-10 domains are seen)
{ {
let mut cache = self.domain_cache.write().await; let mut cache = self.domain_cache.write().await;
if cache.len() >= 64 {
cache.clear();
}
cache.insert(domain.to_string(), config.clone()); cache.insert(domain.to_string(), config.clone());
} }