Project
vgrep
Description
The vgrep server only supports plain HTTP with no option for TLS/HTTPS. When the server is bound to a non-localhost interface (e.g., VGREP_HOST=0.0.0.0), all traffic including indexed code content is transmitted in cleartext, allowing network eavesdropping.
Error Message
Debug Logs
System Information
Bounty Version: 0.1.0
OS: Ubuntu 24.04 LTS
CPU: AMD EPYC-Genoa Processor (8 cores)
RAM: 15 GB
Screenshots
No response
Steps to Reproduce
- Start server on all interfaces:
VGREP_HOST=0.0.0.0 vgrep serve
- From another machine, capture traffic:
tcpdump -i eth0 port 7777 -A
- Make a search request - observe code snippets are visible in packet capture
Expected Behavior
The server should support TLS/HTTPS, either:
- Built-in TLS support with certificate configuration
- Documentation for using a reverse proxy (nginx/caddy) with TLS
Actual Behavior
Server only supports plain HTTP:
// src/server/api.rs line 125-126
let listener = tokio::net::TcpListener::bind(addr).await?;
axum::serve(listener, app).await?;
// No TLS configuration
Additional Context
No response
Project
vgrep
Description
The vgrep server only supports plain HTTP with no option for TLS/HTTPS. When the server is bound to a non-localhost interface (e.g.,
VGREP_HOST=0.0.0.0), all traffic including indexed code content is transmitted in cleartext, allowing network eavesdropping.Error Message
Debug Logs
System Information
Screenshots
No response
Steps to Reproduce
Expected Behavior
The server should support TLS/HTTPS, either:
Actual Behavior
Server only supports plain HTTP:
Additional Context
No response