security: harden against SAST findings (criticals through mediums)
Critical: - Validate baseURL/sourceURL/upstreamURL at config load time (prevents XML injection, XSS, SSRF via config/env manipulation) - Use xml.Escape for OpenSearch XML template interpolation High: - Add security headers middleware (CSP, X-Frame-Options, HSTS, etc.) - Sanitize result URLs to reject javascript:/data: schemes - Sanitize infobox img_src against dangerous URL schemes - Default CORS to deny-all (was wildcard *) Medium: - Rate limiter: X-Forwarded-For only trusted from configured proxies - Validate engine names against known registry allowlist - Add 1024-char max query length - Sanitize upstream error messages (strip raw response bodies) - Upstream client validates URL scheme (http/https only) Test updates: - Update extractIP tests for new trusted proxy behavior
This commit is contained in:
parent
4b0cde91ed
commit
da367a1bfd
23 changed files with 399 additions and 41 deletions
|
|
@ -18,11 +18,13 @@ package config
|
|||
|
||||
import (
|
||||
"fmt"
|
||||
"log"
|
||||
"os"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/BurntSushi/toml"
|
||||
"github.com/metamorphosis-dev/kafka/internal/util"
|
||||
)
|
||||
|
||||
// Config is the top-level configuration for the kafka service.
|
||||
|
|
@ -77,6 +79,7 @@ type RateLimitConfig struct {
|
|||
Requests int `toml:"requests"` // Max requests per window (default: 30)
|
||||
Window string `toml:"window"` // Time window (e.g. "1m", default: "1m")
|
||||
CleanupInterval string `toml:"cleanup_interval"` // Stale entry cleanup interval (default: "5m")
|
||||
TrustedProxies []string `toml:"trusted_proxies"` // CIDRs allowed to set X-Forwarded-For
|
||||
}
|
||||
|
||||
// GlobalRateLimitConfig holds server-wide rate limiting settings.
|
||||
|
|
@ -120,9 +123,35 @@ func Load(path string) (*Config, error) {
|
|||
}
|
||||
|
||||
applyEnvOverrides(cfg)
|
||||
|
||||
if err := validateConfig(cfg); err != nil {
|
||||
return nil, fmt.Errorf("invalid configuration: %w", err)
|
||||
}
|
||||
|
||||
return cfg, nil
|
||||
}
|
||||
|
||||
// validateConfig checks security-critical config values at startup.
|
||||
func validateConfig(cfg *Config) error {
|
||||
if cfg.Server.BaseURL != "" {
|
||||
if err := util.ValidatePublicURL(cfg.Server.BaseURL); err != nil {
|
||||
return fmt.Errorf("server.base_url: %w", err)
|
||||
}
|
||||
}
|
||||
if cfg.Server.SourceURL != "" {
|
||||
if err := util.ValidatePublicURL(cfg.Server.SourceURL); err != nil {
|
||||
return fmt.Errorf("server.source_url: %w", err)
|
||||
}
|
||||
}
|
||||
if cfg.Upstream.URL != "" {
|
||||
if err := util.ValidatePublicURL(cfg.Upstream.URL); err != nil {
|
||||
return fmt.Errorf("upstream.url: %w", err)
|
||||
}
|
||||
log.Printf("WARNING: upstream.url SSRF protection is enabled; ensure the upstream host is not on a private network")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func defaultConfig() *Config {
|
||||
return &Config{
|
||||
Server: ServerConfig{
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue