security: LOW findings + fix .gitignore overmatch
- Swagger UI restricted to localhost only - Message content length limit (4000 chars max) on create + update - Bot/server/webhook ownership checks return 404 instead of 403 (prevents resource ID enumeration) - Fix .gitignore: /server instead of server to stop ignoring internal/server/ directory
This commit is contained in:
+19
-4
@@ -223,10 +223,25 @@ func main() {
|
||||
webhook.NewHandler(database.DB, hub).Execute(w, r)
|
||||
})
|
||||
|
||||
// Swagger UI
|
||||
r.Get("/docs/*", httpSwagger.Handler(
|
||||
httpSwagger.URL("/docs/swagger.json"),
|
||||
))
|
||||
// Swagger UI (only accessible from localhost to avoid exposing API docs)
|
||||
r.Group(func(r chi.Router) {
|
||||
r.Use(func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
host := r.Host
|
||||
if host == "" {
|
||||
host = r.Header.Get("Host")
|
||||
}
|
||||
if host != "localhost:"+cfg.Port && host != "127.0.0.1:"+cfg.Port && host != "[::1]:"+cfg.Port {
|
||||
http.Error(w, `{"error":"not found"}`, http.StatusNotFound)
|
||||
return
|
||||
}
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
})
|
||||
r.Get("/docs/*", httpSwagger.Handler(
|
||||
httpSwagger.URL("/docs/swagger.json"),
|
||||
))
|
||||
})
|
||||
|
||||
// Static file serving for production (SPA)
|
||||
staticDir := "/srv/web"
|
||||
|
||||
Reference in New Issue
Block a user