security: harden against SAST findings (criticals through mediums)
Critical: - Validate baseURL/sourceURL/upstreamURL at config load time (prevents XML injection, XSS, SSRF via config/env manipulation) - Use xml.Escape for OpenSearch XML template interpolation High: - Add security headers middleware (CSP, X-Frame-Options, HSTS, etc.) - Sanitize result URLs to reject javascript:/data: schemes - Sanitize infobox img_src against dangerous URL schemes - Default CORS to deny-all (was wildcard *) Medium: - Rate limiter: X-Forwarded-For only trusted from configured proxies - Validate engine names against known registry allowlist - Add 1024-char max query length - Sanitize upstream error messages (strip raw response bodies) - Upstream client validates URL scheme (http/https only) Test updates: - Update extractIP tests for new trusted proxy behavior
This commit is contained in:
parent
4b0cde91ed
commit
da367a1bfd
23 changed files with 399 additions and 41 deletions
|
|
@ -18,6 +18,7 @@ package views
|
|||
|
||||
import (
|
||||
"embed"
|
||||
"encoding/xml"
|
||||
"html/template"
|
||||
"io/fs"
|
||||
"net/http"
|
||||
|
|
@ -25,6 +26,7 @@ import (
|
|||
"strings"
|
||||
|
||||
"github.com/metamorphosis-dev/kafka/internal/contracts"
|
||||
"github.com/metamorphosis-dev/kafka/internal/util"
|
||||
)
|
||||
|
||||
//go:embed all:templates
|
||||
|
|
@ -122,15 +124,20 @@ func StaticFS() (fs.FS, error) {
|
|||
return fs.Sub(staticFS, "static")
|
||||
}
|
||||
|
||||
// OpenSearchXML returns the OpenSearch description XML with {baseUrl}
|
||||
// replaced by the provided base URL.
|
||||
// OpenSearchXML returns the OpenSearch description XML with the base URL
|
||||
// safely embedded via xml.EscapeText (no raw string interpolation).
|
||||
func OpenSearchXML(baseURL string) ([]byte, error) {
|
||||
tmplFS, _ := fs.Sub(templatesFS, "templates")
|
||||
data, err := fs.ReadFile(tmplFS, "opensearch.xml")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
result := strings.ReplaceAll(string(data), "{baseUrl}", baseURL)
|
||||
|
||||
var buf strings.Builder
|
||||
xml.Escape(&buf, []byte(baseURL))
|
||||
escapedBaseURL := buf.String()
|
||||
|
||||
result := strings.ReplaceAll(string(data), "{baseUrl}", escapedBaseURL)
|
||||
return []byte(result), nil
|
||||
}
|
||||
|
||||
|
|
@ -190,6 +197,12 @@ func FromResponse(resp contracts.SearchResponse, query string, pageno int, activ
|
|||
if r.Template == "videos" {
|
||||
tmplName = "video_item"
|
||||
}
|
||||
// Sanitize URLs to prevent javascript:/data: scheme injection.
|
||||
if r.URL != nil {
|
||||
safe := util.SanitizeResultURL(*r.URL)
|
||||
r.URL = &safe
|
||||
}
|
||||
r.Thumbnail = util.SanitizeResultURL(r.Thumbnail)
|
||||
pd.Results[i] = ResultView{MainResult: r, TemplateName: tmplName}
|
||||
}
|
||||
|
||||
|
|
@ -213,7 +226,7 @@ func FromResponse(resp contracts.SearchResponse, query string, pageno int, activ
|
|||
iv.Title = v
|
||||
}
|
||||
if v, ok := ib["img_src"].(string); ok {
|
||||
iv.ImgSrc = v
|
||||
iv.ImgSrc = util.SanitizeResultURL(v)
|
||||
}
|
||||
if iv.Title != "" || iv.Content != "" {
|
||||
pd.Infoboxes = append(pd.Infoboxes, iv)
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue