Harden backend against critical and high security vulnerabilities
All checks were successful
Deploy with Docker Compose / deploy (push) Successful in 3m51s
All checks were successful
Deploy with Docker Compose / deploy (push) Successful in 3m51s
- Fix WebSocket CheckOrigin to use proper url.Parse instead of string stripping - Add admin auth checks to Users/User GraphQL queries - Remove GraphQL GET transport to prevent CSRF via cross-site links - Add application-level IP-based login rate limiting (5 attempts/min) - Add path traversal bounds check on radio file upload - Require DEV_MODE for GraphQL introspection and playground - Move notes backend endpoint behind admin middleware - Add dedicated Nginx rate limit zone for GraphQL (10r/s) Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -2,7 +2,7 @@ package services
|
||||
|
||||
import (
|
||||
"net/http"
|
||||
"strings"
|
||||
"net/url"
|
||||
"sync"
|
||||
"time"
|
||||
|
||||
@@ -24,11 +24,12 @@ var Upgrader = websocket.Upgrader{
|
||||
if origin == "" {
|
||||
return false
|
||||
}
|
||||
origin = strings.TrimPrefix(origin, "https://")
|
||||
origin = strings.TrimPrefix(origin, "http://")
|
||||
// Strip port for localhost comparisons (e.g. "localhost:80")
|
||||
host := strings.Split(origin, ":")[0]
|
||||
return origin == allowedDomain || origin == "www."+allowedDomain || host == "localhost"
|
||||
u, err := url.Parse(origin)
|
||||
if err != nil {
|
||||
return false
|
||||
}
|
||||
host := u.Hostname()
|
||||
return host == allowedDomain || host == "www."+allowedDomain || host == "localhost"
|
||||
},
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user