admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden API security: input validation, safe auth extraction, new tests, and deploy config

Browse Source 
Comprehensive security hardening from audit findings:
- Add validation tags to all DTO request structs (max lengths, ranges, enums)
- Replace unsafe type assertions with MustGetAuthUser helper across all handlers
- Remove query-param token auth from admin middleware (prevents URL token leakage)
- Add request validation calls in handlers that were missing c.Validate()
- Remove goroutines in handlers (timezone update now synchronous)
- Add sanitize middleware and path traversal protection (path_utils)
- Stop resetting admin passwords on migration restart
- Warn on well-known default SECRET_KEY
- Add ~30 new test files covering security regressions, auth safety, repos, and services
- Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Trey t
2026-03-02 09:48:01 -06:00
parent 56d6fa4514
commit 7690f07a2b
123 changed files with 8321 additions and 750 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
internal/services/storage_service.go
View File

@@ -72,7 +72,7 @@ func (s *StorageService) Upload(file *multipart.FileHeader, category string) (*U
if ext == "" {
ext = s.getExtensionFromMimeType(mimeType)
}
newFilename := fmt.Sprintf("%s_%s%s", time.Now().Format("20060102"), uuid.New().String()[:8], ext)
newFilename := fmt.Sprintf("%s_%s%s", time.Now().Format("20060102"), uuid.New().String(), ext)
// Determine subdirectory based on category
subdir := "images"
@@ -134,9 +134,15 @@ func (s *StorageService) Delete(fileURL string) error {
fullPath := filepath.Join(s.cfg.UploadDir, relativePath)
// Security check: ensure path is within upload directory
absUploadDir, _ := filepath.Abs(s.cfg.UploadDir)
absFilePath, _ := filepath.Abs(fullPath)
if !strings.HasPrefix(absFilePath, absUploadDir) {
absUploadDir, err := filepath.Abs(s.cfg.UploadDir)
if err != nil {
return fmt.Errorf("failed to resolve upload directory: %w", err)
}
absFilePath, err := filepath.Abs(fullPath)
if err != nil {
return fmt.Errorf("failed to resolve file path: %w", err)
}
if !strings.HasPrefix(absFilePath, absUploadDir+string(filepath.Separator)) && absFilePath != absUploadDir {
return fmt.Errorf("invalid file path")
}
@@ -181,3 +187,9 @@ func (s *StorageService) getExtensionFromMimeType(mimeType string) string {
func (s *StorageService) GetUploadDir() string {
return s.cfg.UploadDir
}
// NewStorageServiceForTest creates a StorageService without creating directories.
// This is intended only for unit tests that need a StorageService with a known config.
func NewStorageServiceForTest(cfg *config.StorageConfig) *StorageService {
return &StorageService{cfg: cfg}
}