Franz Kafka
da367a1bfd
Critical: - Validate baseURL/sourceURL/upstreamURL at config load time (prevents XML injection, XSS, SSRF via config/env manipulation) - Use xml.Escape for OpenSearch XML template interpolation High: - Add security headers middleware (CSP, X-Frame-Options, HSTS, etc.) - Sanitize result URLs to reject javascript:/data: schemes - Sanitize infobox img_src against dangerous URL schemes - Default CORS to deny-all (was wildcard *) Medium: - Rate limiter: X-Forwarded-For only trusted from configured proxies - Validate engine names against known registry allowlist - Add 1024-char max query length - Sanitize upstream error messages (strip raw response bodies) - Upstream client validates URL scheme (http/https only) Test updates: - Update extractIP tests for new trusted proxy behavior |
||
|---|---|---|
| .. | ||
| cors.go | ||
| cors_test.go | ||
| ratelimit.go | ||
| ratelimit_burst_test.go | ||
| ratelimit_global.go | ||
| ratelimit_global_test.go | ||
| ratelimit_test.go | ||
| security.go | ||