kafka

History

Franz Kafka da367a1bfd security: harden against SAST findings (criticals through mediums) Critical: - Validate baseURL/sourceURL/upstreamURL at config load time (prevents XML injection, XSS, SSRF via config/env manipulation) - Use xml.Escape for OpenSearch XML template interpolation High: - Add security headers middleware (CSP, X-Frame-Options, HSTS, etc.) - Sanitize result URLs to reject javascript:/data: schemes - Sanitize infobox img_src against dangerous URL schemes - Default CORS to deny-all (was wildcard *) Medium: - Rate limiter: X-Forwarded-For only trusted from configured proxies - Validate engine names against known registry allowlist - Add 1024-char max query length - Sanitize upstream error messages (strip raw response bodies) - Upstream client validates URL scheme (http/https only) Test updates: - Update extractIP tests for new trusted proxy behavior		2026-03-22 16:22:27 +00:00
..
autocomplete	refactor: clean up verbose and redundant comments	2026-03-22 11:10:50 +00:00
cache	license: change from MIT to AGPLv3	2026-03-22 08:27:23 +00:00
config	security: harden against SAST findings (criticals through mediums)	2026-03-22 16:22:27 +00:00
contracts	refactor: clean up verbose and redundant comments	2026-03-22 11:10:50 +00:00
engines	security: harden against SAST findings (criticals through mediums)	2026-03-22 16:22:27 +00:00
httpapi	fix: use single Preferences handler with method check instead of dead POST route	2026-03-22 13:57:32 +01:00
middleware	security: harden against SAST findings (criticals through mediums)	2026-03-22 16:22:27 +00:00
search	security: harden against SAST findings (criticals through mediums)	2026-03-22 16:22:27 +00:00
upstream	security: harden against SAST findings (criticals through mediums)	2026-03-22 16:22:27 +00:00
util	security: harden against SAST findings (criticals through mediums)	2026-03-22 16:22:27 +00:00
views	security: harden against SAST findings (criticals through mediums)	2026-03-22 16:22:27 +00:00