fix: security hardening for middleware, crypto, and backup handlers
- Remove CORS origin reflection (SEC-C1 CRITICAL) - Add Content-Security-Policy header (SEC-H2) - Fix rate limiter memory leak with periodic stale IP cleanup (SEC-H5) - Enforce minimum 32-char ENCRYPTION_KEY (SEC-H4) - Validate backup type against allowlist (SEC-M6) - Fix backup download path traversal with path containment check (SEC-C2 CRITICAL)
This commit is contained in:
+34
-15
@@ -45,23 +45,20 @@ func securityHeaders(next http.Handler) http.Handler {
|
||||
w.Header().Set("X-Content-Type-Options", "nosniff")
|
||||
w.Header().Set("X-Frame-Options", "DENY")
|
||||
w.Header().Set("Referrer-Policy", "strict-origin-when-cross-origin")
|
||||
w.Header().Set("Content-Security-Policy", "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; connect-src 'self'; font-src 'self'")
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
|
||||
// cors is an HTTP middleware that restricts CORS to same-origin requests.
|
||||
// The frontend is served from the same origin, so no wildcard is needed.
|
||||
// cors is an HTTP middleware that handles CORS for same-origin requests.
|
||||
// The frontend is served from the same origin, so cross-origin requests are not expected.
|
||||
func cors(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
origin := r.Header.Get("Origin")
|
||||
if origin != "" {
|
||||
// Only allow the same origin (frontend is served from the same host).
|
||||
w.Header().Set("Access-Control-Allow-Origin", origin)
|
||||
w.Header().Set("Vary", "Origin")
|
||||
w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
|
||||
w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
|
||||
w.Header().Set("Access-Control-Allow-Credentials", "true")
|
||||
}
|
||||
// The frontend is served from the same origin, so cross-origin
|
||||
// requests are not expected. We do NOT reflect the Origin header
|
||||
// back, as that would allow any website to make credentialed requests.
|
||||
// If cross-origin support is needed in the future, maintain an
|
||||
// explicit allowlist of trusted origins here.
|
||||
|
||||
if r.Method == http.MethodOptions {
|
||||
w.WriteHeader(http.StatusNoContent)
|
||||
@@ -84,12 +81,16 @@ func limitBody(next http.Handler) http.Handler {
|
||||
|
||||
// rateLimiter provides per-IP rate limiting for login endpoints.
|
||||
type rateLimiter struct {
|
||||
mu sync.Mutex
|
||||
attempts map[string][]time.Time
|
||||
mu sync.Mutex
|
||||
attempts map[string][]time.Time
|
||||
lastCleanup time.Time
|
||||
}
|
||||
|
||||
func newRateLimiter() *rateLimiter {
|
||||
return &rateLimiter{attempts: make(map[string][]time.Time)}
|
||||
return &rateLimiter{
|
||||
attempts: make(map[string][]time.Time),
|
||||
lastCleanup: time.Now(),
|
||||
}
|
||||
}
|
||||
|
||||
// allow checks if the IP is allowed to make another request.
|
||||
@@ -101,7 +102,25 @@ func (rl *rateLimiter) allow(ip string) bool {
|
||||
now := time.Now()
|
||||
window := now.Add(-1 * time.Minute)
|
||||
|
||||
// Clean old entries.
|
||||
// Periodically clean all stale IPs to prevent memory leak.
|
||||
if now.Sub(rl.lastCleanup) > 5*time.Minute {
|
||||
for k, times := range rl.attempts {
|
||||
filtered := times[:0]
|
||||
for _, t := range times {
|
||||
if t.After(window) {
|
||||
filtered = append(filtered, t)
|
||||
}
|
||||
}
|
||||
if len(filtered) == 0 {
|
||||
delete(rl.attempts, k)
|
||||
} else {
|
||||
rl.attempts[k] = filtered
|
||||
}
|
||||
}
|
||||
rl.lastCleanup = now
|
||||
}
|
||||
|
||||
// Clean old entries for this IP.
|
||||
filtered := rl.attempts[ip][:0]
|
||||
for _, t := range rl.attempts[ip] {
|
||||
if t.After(window) {
|
||||
|
||||
Reference in New Issue
Block a user