[CRITICAL] HTTP health check doesn't actually check HTTP response #16

New issue

Open

opened 2026-05-11 10:52:00 +00:00 by thabeta · 1 comment

thabeta commented

2026-05-11 10:52:00 +00:00

Owner

Problem

The HTTP health check in process.rs only performs a TCP connect -- it never sends an HTTP request or checks the response status. The expect_status field in the config is ignored.

Impact

Any open TCP port passes the HTTP health check, regardless of whether it's actually serving HTTP or what status code it returns. A database port, SSH port, or any listening socket would be marked as "healthy" for an HTTP health check.

Files

crates/my_init_server/src/process.rs -- check_health function, HealthDef::Http branch

Suggested Fix

Send an actual HTTP GET request to the configured path, parse the response status, and compare against expect_status. Use reqwest or a minimal HTTP client.

## Problem The HTTP health check in `process.rs` only performs a TCP connect -- it never sends an HTTP request or checks the response status. The `expect_status` field in the config is ignored. ## Impact Any open TCP port passes the HTTP health check, regardless of whether it's actually serving HTTP or what status code it returns. A database port, SSH port, or any listening socket would be marked as "healthy" for an HTTP health check. ## Files - `crates/my_init_server/src/process.rs` -- `check_health` function, `HealthDef::Http` branch ## Suggested Fix Send an actual HTTP GET request to the configured path, parse the response status, and compare against `expect_status`. Use `reqwest` or a minimal HTTP client.

thabeta added the

bug

critical

labels

2026-05-11 10:52:58 +00:00

salmaelsoly commented

2026-05-11 13:30:35 +00:00

Member

Classification: valid-bug — HTTP health check only performs TCP connect; never sends HTTP request or checks response status. expect_status config field is read but unused.

Confirmed by code inspection at crates/my_init_server/src/process.rs:739-778. The HealthDef::Http branch calls tokio::net::TcpStream::connect() and returns Healthy on any successful TCP connection regardless of the actual HTTP response. The code's own comments acknowledge this: "For simplicity, we just check if we can connect" and "Would need actual HTTP check here." The expect_status field is compared to 200 but the comparison is meaningless since no HTTP response is ever received.

Any open TCP port (SSH, database, etc.) passes the HTTP health check and marks the service as healthy.

> Classification: valid-bug — HTTP health check only performs TCP connect; never sends HTTP request or checks response status. `expect_status` config field is read but unused. Confirmed by code inspection at crates/my_init_server/src/process.rs:739-778. The HealthDef::Http branch calls tokio::net::TcpStream::connect() and returns Healthy on any successful TCP connection regardless of the actual HTTP response. The code's own comments acknowledge this: "For simplicity, we just check if we can connect" and "Would need actual HTTP check here." The expect_status field is compared to 200 but the comparison is meaningless since no HTTP response is ever received. Any open TCP port (SSH, database, etc.) passes the HTTP health check and marks the service as healthy.