alexei.dolgolyov/tiny-forge
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a4362b842d31271ab9d88255a7007c7b9b98880e
tiny-forge/internal/webhook/matcher.go
T
alexei.dolgolyov a4362b842d
Build / build (push) Successful in 11m42s
Details
fix: harden security, fix concurrency bugs, and address review findings 
Security:
- rate limit /api/webhook routes per-IP and cap concurrent site syncs
- global SSE connection cap (256) with new sse_gate
- validate ?tail= and cap JSON log responses at 4 MiB
- strip ANSI/CSI/OSC and control bytes from streamed log lines
- redact webhook secret from request log middleware
- scrub host details from /api/health for non-admin viewers
- drop container_id from /api/system/stats/top for non-admins
- generate webhook secrets via crypto/rand; require >=32 chars on insert
- verify iid path consistency in streamContainerLogs
- LimitReader on site webhook body; reject malformed non-empty bodies

Concurrency / correctness:
- stats collector: Stop() no longer hangs without Start(), semaphore
  acquired in parent loop so ctx cancellation short-circuits the queue,
  in-flight tick cancellable via shared base context, zero-ts guard
- webhook handler: replace fire-and-forget goroutine with WaitGroup-tracked
  workers + Drain() wired into graceful shutdown
- $derived(() => ...) mis-idiom fixed in ContainerStats / InstanceCard /
  ProjectCard (returned function instead of value)
- SystemResourcesCard: rename `window` and `t` locals to avoid shadowing
  globalThis.window and the i18n `t` import

Quality / performance:
- replace O(n^2) insertion sort with sort.Slice in stats top
- runMigrations only swallows duplicate-column / already-exists errors
- PruneStatsSamplesBefore wrapped in a transaction
- collapse N+1 in unusedImageStats / pruneImages to one ListAllInstances
  pass; surface DB errors instead of silently treating them as inactive
- run Docker Info + DiskUsage in parallel via errgroup
- container log SSE emits `: ping` heartbeat every 20 s
- imageMatches case-insensitive on registry host (RFC behaviour)
- log warning on invalid stage tag pattern instead of silent skip
- reject malformed non-empty site webhook payloads

Frontend / i18n:
- shared formatBytes utility replaces three local copies
- statsInterval store drives dynamic "no samples / collection disabled"
  copy across ContainerStats and SystemResourcesCard
- top consumers row now shows owner_name (project/stage or site name)
- drop seven `as any` casts on the Settings type; add cloudflare_api_token
  write-only field
- move "Service status", "Docker daemon", "Docker unreachable",
  "Proxy unreachable", "reachable", and "Docker daemon is not reachable."
  strings into en/ru i18n bundles
2026-05-07 00:56:14 +03:00

95 lines
2.5 KiB
Go
Raw Blame History

package webhook
import (
"fmt"
"log/slog"
"path"
"strings"
"github.com/alexei/tinyforge/internal/store"
)
// matchStage finds the first stage of a project whose tag pattern matches the
// given tag. Uses path.Match for glob-style matching (same as the registry poller).
func matchStage(st *store.Store, projectID, tag string) (store.Stage, bool, error) {
stages, err := st.GetStagesByProjectID(projectID)
if err != nil {
return store.Stage{}, false, fmt.Errorf("get stages: %w", err)
}
for _, stage := range stages {
pattern := stage.TagPattern
if pattern == "" {
pattern = "*"
}
matched, err := path.Match(pattern, tag)
if err != nil {
slog.Warn("webhook: invalid tag pattern, skipping stage",
"project", projectID, "stage", stage.Name, "pattern", pattern, "error", err)
continue
}
if matched {
return stage, true, nil
}
}
return store.Stage{}, false, nil
}
// imageMatches reports whether an incoming image reference matches the
// project's stored image. The registry hostname is matched case-insensitively
// (per RFC: registry hostnames are case-insensitive); the path/owner/name are
// matched exactly.
func imageMatches(projectImage, incomingImage string) bool {
if projectImage == incomingImage {
return true
}
pIdx := strings.IndexByte(projectImage, '/')
iIdx := strings.IndexByte(incomingImage, '/')
if pIdx <= 0 || iIdx <= 0 {
return false
}
pHost, pPath := projectImage[:pIdx], projectImage[pIdx:]
iHost, iPath := incomingImage[:iIdx], incomingImage[iIdx:]
return strings.EqualFold(pHost, iHost) && pPath == iPath
}
// siteRefMatches reports whether a Git ref (e.g. "refs/heads/main" or
// "refs/tags/v1.2.3") targets the site's configured branch or tag pattern.
//
// For sync_trigger = "push": the ref must be a heads/<branch> ref whose
// branch name equals site.Branch.
// For sync_trigger = "tag": the ref must be a tags/<tag> ref whose tag name
// matches site.TagPattern via glob semantics.
// Unknown triggers return false (caller should have filtered these out).
func siteRefMatches(site store.StaticSite, ref string) bool {
switch site.SyncTrigger {
case "push":
branch, ok := strings.CutPrefix(ref, "refs/heads/")
if !ok {
return false
}
if site.Branch == "" {
return true
}
return branch == site.Branch
case "tag":
tag, ok := strings.CutPrefix(ref, "refs/tags/")
if !ok {
return false
}
pattern := site.TagPattern
if pattern == "" {
pattern = "*"
}
matched, err := path.Match(pattern, tag)
if err != nil {
return false
}
return matched
default:
return false
}
}
Reference in New Issue View Git Blame Copy Permalink