7690f07a2b
Comprehensive security hardening from audit findings: - Add validation tags to all DTO request structs (max lengths, ranges, enums) - Replace unsafe type assertions with MustGetAuthUser helper across all handlers - Remove query-param token auth from admin middleware (prevents URL token leakage) - Add request validation calls in handlers that were missing c.Validate() - Remove goroutines in handlers (timezone update now synchronous) - Add sanitize middleware and path traversal protection (path_utils) - Stop resetting admin passwords on migration restart - Warn on well-known default SECRET_KEY - Add ~30 new test files covering security regressions, auth safety, repos, and services - Add deploy/ config, audit digests, and AUDIT_FINDINGS documentation Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
49 lines
2.6 KiB
Markdown
49 lines
2.6 KiB
Markdown
# Digest 4: dto/responses (remaining), echohelpers, handlers (first half)
|
|
|
|
### dto/responses/residence.go (215 lines) - NewResidenceResponse no nil check on param. Owner zero-value if not preloaded.
|
|
### dto/responses/task_template.go (135 lines) - No nil check on template param
|
|
### dto/responses/task.go (399 lines) - No nil checks on params in factory functions
|
|
### dto/responses/user.go (20 lines) - Clean data types
|
|
### echohelpers/helpers.go (46 lines) - Clean utilities
|
|
### echohelpers/pagination.go (33 lines) - Clean, properly bounded
|
|
|
|
### handlers/auth_handler.go (379 lines)
|
|
- **ARCHITECTURE**: Lines 83, 178, 207, 241, 329, 370: SIX goroutine spawns for email — violates "no goroutines in handlers" rule
|
|
- Line 308-312: AppError constructed directly instead of factory function
|
|
|
|
### handlers/contractor_handler.go (154 lines)
|
|
- Line 28+: Unchecked type assertions throughout (7 instances)
|
|
- Line 31: Raw err.Error() returned to client
|
|
- Line 55: CreateContractor missing c.Validate() call
|
|
|
|
### handlers/document_handler.go (336 lines)
|
|
- Line 37+: Unchecked type assertions (10 instances)
|
|
- Line 92-93: Raw error leaked to client
|
|
- Line 137: No DocumentType validation — any string accepted
|
|
- Lines 187, 217: Missing c.Validate() calls
|
|
|
|
### handlers/media_handler.go (172 lines)
|
|
- **SECURITY**: Line 156-171: resolveFilePath uses filepath.Join with user-influenced data — PATH TRAVERSAL vulnerability. TrimPrefix doesn't sanitize ../
|
|
- Line 19-22: Handler accesses repositories directly, bypasses service layer
|
|
|
|
### handlers/notification_handler.go (200 lines)
|
|
- Line 29-40: No upper bound on limit — unbounded query with limit=999999999
|
|
- Line 168: Silent default to "ios" platform
|
|
|
|
### handlers/residence_handler.go (365 lines)
|
|
- Line 38+: Unchecked type assertions (14 instances)
|
|
- Lines 187, 209, 303: Bind errors silently discarded
|
|
- Line 224: JoinWithCode missing c.Validate()
|
|
|
|
### handlers/static_data_handler.go (152 lines) - Uses interface{} instead of concrete types
|
|
### handlers/subscription_handler.go (176 lines) - Lines 97, 150: Missing c.Validate() calls
|
|
- Line 159-163: RestoreSubscription doesn't validate receipt/transaction ID presence
|
|
|
|
### handlers/subscription_webhook_handler.go (821 lines)
|
|
- **SECURITY**: Line 190-192: Apple JWS payload decoded WITHOUT signature verification
|
|
- **SECURITY**: Line 787-793: VerifyGooglePubSubToken ALWAYS returns true — webhook unauthenticated
|
|
- Line 639-643: Subscription duration guessed by string matching product ID
|
|
- Line 657, 694: Hardcoded 1-month extension regardless of actual plan
|
|
- Line 759, 772: Unchecked type assertions in VerifyAppleSignature
|
|
- Line 162: Apple renewal info error silently discarded
|