penal-colony/kafka
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kafka/internal/engines
History
Franz Kafka da367a1bfd security: harden against SAST findings (criticals through mediums) 
Critical:
- Validate baseURL/sourceURL/upstreamURL at config load time
  (prevents XML injection, XSS, SSRF via config/env manipulation)
- Use xml.Escape for OpenSearch XML template interpolation

High:
- Add security headers middleware (CSP, X-Frame-Options, HSTS, etc.)
- Sanitize result URLs to reject javascript:/data: schemes
- Sanitize infobox img_src against dangerous URL schemes
- Default CORS to deny-all (was wildcard *)

Medium:
- Rate limiter: X-Forwarded-For only trusted from configured proxies
- Validate engine names against known registry allowlist
- Add 1024-char max query length
- Sanitize upstream error messages (strip raw response bodies)
- Upstream client validates URL scheme (http/https only)

Test updates:
- Update extractIP tests for new trusted proxy behavior
2026-03-22 16:22:27 +00:00
..
arxiv.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
arxiv_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
bing.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
bing_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
brave.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
braveapi.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
braveapi_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
crossref.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
crossref_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
duckduckgo.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
duckduckgo_parse.go license: change from MIT to AGPLv3 2026-03-22 08:27:23 +00:00
duckduckgo_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
engine.go license: change from MIT to AGPLv3 2026-03-22 08:27:23 +00:00
factory.go feat: add Brave web search scraper engine 2026-03-22 16:01:49 +00:00
github.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
github_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
google.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
html_helpers.go license: change from MIT to AGPLv3 2026-03-22 08:27:23 +00:00
http_mock_test.go feat: build Go-based SearXNG-compatible search service 2026-03-20 20:34:08 +01:00
planner.go feat: add Brave web search scraper engine 2026-03-22 16:01:49 +00:00
qwant.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
qwant_lite_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
qwant_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
reddit.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
reddit_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
wikipedia.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00
wikipedia_test.go chore: update Go module path to github.com/metamorphosis-dev/kafka 2026-03-21 19:42:01 +00:00
youtube.go security: harden against SAST findings (criticals through mediums) 2026-03-22 16:22:27 +00:00