penal-colony/kafka
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
118 commits 6 branches 0 tags 27 MiB
Commit graph

6 commits

Author SHA1 Message Date
Franz Kafka
b3e3123612 security: fix build errors, add honest Google UA, sanitize error msgs 
- Fix config validation: upstream URLs allow private IPs (self-hosted)
- Fix util.SafeURLScheme to return parsed URL
- Replace spoofed GSA User-Agent with honest Kafka UA
- Sanitize all engine error messages (strip response bodies)
- Replace unused body reads with io.Copy(io.Discard, ...) for reuse
- Fix pre-existing braveapi_test using wrong struct type
- Fix ratelimit test reference to limiter variable
- Update ratelimit tests for new trusted proxy behavior
 2026-03-22 16:27:49 +00:00
Franz Kafka
da367a1bfd security: harden against SAST findings (criticals through mediums) 
Critical:
- Validate baseURL/sourceURL/upstreamURL at config load time
  (prevents XML injection, XSS, SSRF via config/env manipulation)
- Use xml.Escape for OpenSearch XML template interpolation

High:
- Add security headers middleware (CSP, X-Frame-Options, HSTS, etc.)
- Sanitize result URLs to reject javascript:/data: schemes
- Sanitize infobox img_src against dangerous URL schemes
- Default CORS to deny-all (was wildcard *)

Medium:
- Rate limiter: X-Forwarded-For only trusted from configured proxies
- Validate engine names against known registry allowlist
- Add 1024-char max query length
- Sanitize upstream error messages (strip raw response bodies)
- Upstream client validates URL scheme (http/https only)

Test updates:
- Update extractIP tests for new trusted proxy behavior
 2026-03-22 16:22:27 +00:00
ashisgreat22
d21e9189b8 fix(engines): validate Wikipedia language codes to prevent SSRF 
Wikipedia language subdomain was derived from user input without
validation, allowing attackers to redirect requests via malicious
language values like "evil.com.attacker.com". Added a whitelist of
valid Wikipedia language codes to prevent this.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-03-22 13:22:52 +01:00
Franz Kafka
7be03b4017 license: change from MIT to AGPLv3 
Update LICENSE file and add AGPL header to all source files.

AGPLv3 ensures that if someone runs Kafka as a network service and
modifies it, they must release their source code under the same license.
 2026-03-22 08:27:23 +00:00
Franz Kafka
6346fb7155 chore: update Go module path to github.com/metamorphosis-dev/kafka 
Module path now matches the GitHub mirror location.
All internal imports updated across 35+ files.
 2026-03-21 19:42:01 +00:00
Franz Kafka
dc44837219 feat: build Go-based SearXNG-compatible search service 
Implement an API-first Go rewrite with local engine adapters, upstream fallback, and Nix-based tooling so searches can run without matching the original UI while preserving response compatibility.

Made-with: Cursor
 2026-03-20 20:34:08 +01:00