alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: security hardening for middleware, crypto, and backup handlers

Browse Source 
- Remove CORS origin reflection (SEC-C1 CRITICAL)
- Add Content-Security-Policy header (SEC-H2)
- Fix rate limiter memory leak with periodic stale IP cleanup (SEC-H5)
- Enforce minimum 32-char ENCRYPTION_KEY (SEC-H4)
- Validate backup type against allowlist (SEC-M6)
- Fix backup download path traversal with path containment check (SEC-C2 CRITICAL)
This commit is contained in:
Admin
2026-04-04 12:40:37 +03:00
parent c6693a2ef5
commit ff59d9f799
4 changed files with 69 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/crypto/crypto.go
+3
View File
@@ -28,6 +28,9 @@ func KeyFromEnv() ([32]byte, error) {
if raw == "" {
return [32]byte{}, ErrNoKey
}
if len(raw) < 32 {
return [32]byte{}, fmt.Errorf("ENCRYPTION_KEY must be at least 32 characters long (got %d)", len(raw))
}
return DeriveKey(raw), nil
}