security: harden against SAST findings (criticals through mediums)
Critical: - Validate baseURL/sourceURL/upstreamURL at config load time (prevents XML injection, XSS, SSRF via config/env manipulation) - Use xml.Escape for OpenSearch XML template interpolation High: - Add security headers middleware (CSP, X-Frame-Options, HSTS, etc.) - Sanitize result URLs to reject javascript:/data: schemes - Sanitize infobox img_src against dangerous URL schemes - Default CORS to deny-all (was wildcard *) Medium: - Rate limiter: X-Forwarded-For only trusted from configured proxies - Validate engine names against known registry allowlist - Add 1024-char max query length - Sanitize upstream error messages (strip raw response bodies) - Upstream client validates URL scheme (http/https only) Test updates: - Update extractIP tests for new trusted proxy behavior
This commit is contained in:
parent
4b0cde91ed
commit
da367a1bfd
23 changed files with 399 additions and 41 deletions
|
|
@ -92,9 +92,11 @@ func TestRateLimit_DifferentIPs(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestRateLimit_XForwardedFor(t *testing.T) {
|
||||
privateNet := mustParseCIDR("10.0.0.0/8")
|
||||
h := RateLimit(RateLimitConfig{
|
||||
Requests: 1,
|
||||
Window: 10 * time.Second,
|
||||
Requests: 1,
|
||||
Window: 10 * time.Second,
|
||||
TrustedProxies: []string{"10.0.0.0/8"},
|
||||
}, nil)(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
w.WriteHeader(http.StatusOK)
|
||||
}))
|
||||
|
|
@ -143,17 +145,27 @@ func TestRateLimit_WindowExpires(t *testing.T) {
|
|||
}
|
||||
|
||||
func TestExtractIP(t *testing.T) {
|
||||
// Trusted proxy: loopback
|
||||
loopback := mustParseCIDR("127.0.0.0/8")
|
||||
privateNet := mustParseCIDR("10.0.0.0/8")
|
||||
|
||||
tests := []struct {
|
||||
name string
|
||||
xff string
|
||||
realIP string
|
||||
remote string
|
||||
trusted []*net.IPNet
|
||||
expected string
|
||||
}{
|
||||
{"xff", "203.0.113.50, 10.0.0.1", "", "10.0.0.1:1234", "203.0.113.50"},
|
||||
{"real_ip", "", "203.0.113.50", "10.0.0.1:1234", "203.0.113.50"},
|
||||
{"remote", "", "", "1.2.3.4:5678", "1.2.3.4"},
|
||||
{"xff_over_real", "203.0.113.50", "10.0.0.1", "10.0.0.1:1234", "203.0.113.50"},
|
||||
// No trusted proxies → always use RemoteAddr.
|
||||
{"no_trusted_xff", "203.0.113.50, 10.0.0.1", "", "10.0.0.1:1234", nil, "10.0.0.1"},
|
||||
{"no_trusted_real", "", "203.0.113.50", "10.0.0.1:1234", nil, "10.0.0.1"},
|
||||
{"no_trusted_remote", "", "", "1.2.3.4:5678", nil, "1.2.3.4"},
|
||||
// Trusted proxy → XFF is respected.
|
||||
{"trusted_xff", "203.0.113.50, 10.0.0.1", "", "10.0.0.1:1234", []*net.IPNet{privateNet}, "203.0.113.50"},
|
||||
{"trusted_real_ip", "", "203.0.113.50", "10.0.0.1:1234", []*net.IPNet{privateNet}, "203.0.113.50"},
|
||||
// Untrusted remote → XFF ignored even if present.
|
||||
{"untrusted_xff", "203.0.113.50, 10.0.0.1", "", "1.2.3.4:5678", []*net.IPNet{loopback}, "1.2.3.4"},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
|
|
@ -167,9 +179,17 @@ func TestExtractIP(t *testing.T) {
|
|||
}
|
||||
req.RemoteAddr = tt.remote
|
||||
|
||||
if got := extractIP(req); got != tt.expected {
|
||||
if got := extractIP(req, tt.trusted...); got != tt.expected {
|
||||
t.Errorf("extractIP() = %q, want %q", got, tt.expected)
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func mustParseCIDR(s string) *net.IPNet {
|
||||
_, network, err := net.ParseCIDR(s)
|
||||
if err != nil {
|
||||
panic(err)
|
||||
}
|
||||
return network
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue