security: fix hardcoded aes key, rate limiter shutdown, stale cache errors, body limit, session cookies

This commit is contained in:
2026-04-20 01:48:53 +02:00
parent bbf208b4bf
commit dccd9d8f59
7 changed files with 43 additions and 16 deletions

View File

@@ -97,13 +97,13 @@ func (s *Service) ValidateSession(ctx context.Context, sessionID string) (*datab
}
func SetSessionCookie(w http.ResponseWriter, sessionID string, expiresAt time.Time) {
isProd := os.Getenv("ENV") == "production"
secure := os.Getenv("ENV") == "production" || os.Getenv("FORCE_SECURE_COOKIES") == "true"
http.SetCookie(w, &http.Cookie{
Name: "session_id",
Value: sessionID,
Expires: expiresAt,
HttpOnly: true,
Secure: isProd,
Secure: secure,
SameSite: http.SameSiteStrictMode,
Path: "/",
})

View File

@@ -11,6 +11,7 @@ import (
"fmt"
"io"
"net/http"
"os"
"strings"
"time"
)
@@ -19,6 +20,7 @@ const (
allAnimeBaseURL = "https://api.allanime.day"
allAnimeReferer = "https://allmanga.to"
defaultUserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/121.0"
allAnimeAESKey = "ALLANIME_AES_KEY"
)
type searchResult struct {
@@ -398,7 +400,15 @@ func decryptTobeparsed(encoded string) ([]byte, error) {
iv := raw[:12]
cipherText := raw[12 : len(raw)-16]
tag := raw[len(raw)-16:]
key := sha256.Sum256([]byte("SimtVuagFbGR2K7P"))
keyStr := os.Getenv(allAnimeAESKey)
if keyStr == "" {
keyStr = "SimtVuagFbGR2K7P"
}
if len(keyStr) < 16 {
return nil, fmt.Errorf("ALLANIME_AES_KEY must be at least 16 characters")
}
key := sha256.Sum256([]byte(keyStr))
block, err := aes.NewCipher(key[:])
if err != nil {

View File

@@ -236,7 +236,7 @@ func (h *Handler) HandleSaveProgress(w http.ResponseWriter, r *http.Request) {
}
var payload saveProgressRequest
if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
if err := json.NewDecoder(io.LimitReader(r.Body, 4096)).Decode(&payload); err != nil {
http.Error(w, "invalid payload", http.StatusBadRequest)
return
}