security: LOW findings + fix .gitignore overmatch
- Swagger UI restricted to localhost only - Message content length limit (4000 chars max) on create + update - Bot/server/webhook ownership checks return 404 instead of 403 (prevents resource ID enumeration) - Fix .gitignore: /server instead of server to stop ignoring internal/server/ directory
This commit is contained in:
@@ -310,7 +310,7 @@ func (h *CommandHandler) verifyBotOwnership(r *http.Request, userID, botID strin
|
||||
return err
|
||||
}
|
||||
if ownerID != userID {
|
||||
return errForbidden
|
||||
return errNotFound
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -216,7 +216,7 @@ func (h *Handler) Get(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
if b.OwnerID != userID {
|
||||
writeErr(w, http.StatusForbidden, "forbidden")
|
||||
writeErr(w, http.StatusNotFound, "bot not found")
|
||||
return
|
||||
}
|
||||
if avatar.Valid {
|
||||
@@ -264,7 +264,7 @@ func (h *Handler) Update(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
if ownerID != userID {
|
||||
writeErr(w, http.StatusForbidden, "forbidden")
|
||||
writeErr(w, http.StatusNotFound, "bot not found")
|
||||
return
|
||||
}
|
||||
|
||||
@@ -335,7 +335,7 @@ func (h *Handler) Delete(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
if ownerID != userID {
|
||||
writeErr(w, http.StatusForbidden, "forbidden")
|
||||
writeErr(w, http.StatusNotFound, "bot not found")
|
||||
return
|
||||
}
|
||||
|
||||
@@ -385,7 +385,7 @@ func (h *Handler) AddToServer(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
if ownerID != userID {
|
||||
writeErr(w, http.StatusForbidden, "forbidden")
|
||||
writeErr(w, http.StatusNotFound, "bot not found")
|
||||
return
|
||||
}
|
||||
|
||||
@@ -464,7 +464,7 @@ func (h *Handler) RemoveFromServer(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
if ownerID != userID {
|
||||
writeErr(w, http.StatusForbidden, "forbidden")
|
||||
writeErr(w, http.StatusNotFound, "bot not found")
|
||||
return
|
||||
}
|
||||
|
||||
@@ -518,7 +518,7 @@ func (h *Handler) RegenerateToken(w http.ResponseWriter, r *http.Request) {
|
||||
return
|
||||
}
|
||||
if ownerID != userID {
|
||||
writeErr(w, http.StatusForbidden, "forbidden")
|
||||
writeErr(w, http.StatusNotFound, "bot not found")
|
||||
return
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user