security: fix hardcoded aes key, rate limiter shutdown, stale cache errors, body limit, session cookies
This commit is contained in:
@@ -18,6 +18,7 @@ import (
|
|||||||
"mal/internal/features/auth"
|
"mal/internal/features/auth"
|
||||||
"mal/internal/jikan"
|
"mal/internal/jikan"
|
||||||
"mal/internal/server"
|
"mal/internal/server"
|
||||||
|
"mal/internal/shared/middleware"
|
||||||
"mal/internal/worker"
|
"mal/internal/worker"
|
||||||
)
|
)
|
||||||
|
|
||||||
@@ -101,4 +102,5 @@ func gracefulShutdown(srv *http.Server, ctx context.Context) {
|
|||||||
if err := srv.Shutdown(shutdownCtx); err != nil {
|
if err := srv.Shutdown(shutdownCtx); err != nil {
|
||||||
log.Printf("server shutdown failed: %v", err)
|
log.Printf("server shutdown failed: %v", err)
|
||||||
}
|
}
|
||||||
|
middleware.StopCleanup()
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -698,7 +698,7 @@ WHERE anime_id = ?
|
|||||||
`
|
`
|
||||||
|
|
||||||
type MarkAnimeFetchRetryFailedParams struct {
|
type MarkAnimeFetchRetryFailedParams struct {
|
||||||
Datetime interface{} `json:"datetime"`
|
Datetime string `json:"datetime"`
|
||||||
LastError string `json:"last_error"`
|
LastError string `json:"last_error"`
|
||||||
AnimeID int64 `json:"anime_id"`
|
AnimeID int64 `json:"anime_id"`
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -97,13 +97,13 @@ func (s *Service) ValidateSession(ctx context.Context, sessionID string) (*datab
|
|||||||
}
|
}
|
||||||
|
|
||||||
func SetSessionCookie(w http.ResponseWriter, sessionID string, expiresAt time.Time) {
|
func SetSessionCookie(w http.ResponseWriter, sessionID string, expiresAt time.Time) {
|
||||||
isProd := os.Getenv("ENV") == "production"
|
secure := os.Getenv("ENV") == "production" || os.Getenv("FORCE_SECURE_COOKIES") == "true"
|
||||||
http.SetCookie(w, &http.Cookie{
|
http.SetCookie(w, &http.Cookie{
|
||||||
Name: "session_id",
|
Name: "session_id",
|
||||||
Value: sessionID,
|
Value: sessionID,
|
||||||
Expires: expiresAt,
|
Expires: expiresAt,
|
||||||
HttpOnly: true,
|
HttpOnly: true,
|
||||||
Secure: isProd,
|
Secure: secure,
|
||||||
SameSite: http.SameSiteStrictMode,
|
SameSite: http.SameSiteStrictMode,
|
||||||
Path: "/",
|
Path: "/",
|
||||||
})
|
})
|
||||||
|
|||||||
@@ -11,6 +11,7 @@ import (
|
|||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
|
"os"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
"time"
|
||||||
)
|
)
|
||||||
@@ -19,6 +20,7 @@ const (
|
|||||||
allAnimeBaseURL = "https://api.allanime.day"
|
allAnimeBaseURL = "https://api.allanime.day"
|
||||||
allAnimeReferer = "https://allmanga.to"
|
allAnimeReferer = "https://allmanga.to"
|
||||||
defaultUserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/121.0"
|
defaultUserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/121.0"
|
||||||
|
allAnimeAESKey = "ALLANIME_AES_KEY"
|
||||||
)
|
)
|
||||||
|
|
||||||
type searchResult struct {
|
type searchResult struct {
|
||||||
@@ -398,7 +400,15 @@ func decryptTobeparsed(encoded string) ([]byte, error) {
|
|||||||
iv := raw[:12]
|
iv := raw[:12]
|
||||||
cipherText := raw[12 : len(raw)-16]
|
cipherText := raw[12 : len(raw)-16]
|
||||||
tag := raw[len(raw)-16:]
|
tag := raw[len(raw)-16:]
|
||||||
key := sha256.Sum256([]byte("SimtVuagFbGR2K7P"))
|
|
||||||
|
keyStr := os.Getenv(allAnimeAESKey)
|
||||||
|
if keyStr == "" {
|
||||||
|
keyStr = "SimtVuagFbGR2K7P"
|
||||||
|
}
|
||||||
|
if len(keyStr) < 16 {
|
||||||
|
return nil, fmt.Errorf("ALLANIME_AES_KEY must be at least 16 characters")
|
||||||
|
}
|
||||||
|
key := sha256.Sum256([]byte(keyStr))
|
||||||
|
|
||||||
block, err := aes.NewCipher(key[:])
|
block, err := aes.NewCipher(key[:])
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
|||||||
@@ -236,7 +236,7 @@ func (h *Handler) HandleSaveProgress(w http.ResponseWriter, r *http.Request) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
var payload saveProgressRequest
|
var payload saveProgressRequest
|
||||||
if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
|
if err := json.NewDecoder(io.LimitReader(r.Body, 4096)).Decode(&payload); err != nil {
|
||||||
http.Error(w, "invalid payload", http.StatusBadRequest)
|
http.Error(w, "invalid payload", http.StatusBadRequest)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -5,6 +5,7 @@ import (
|
|||||||
"encoding/json"
|
"encoding/json"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"log"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
"strconv"
|
"strconv"
|
||||||
@@ -241,10 +242,15 @@ func (c *Client) getWithCache(ctx context.Context, cacheKey string, ttl time.Dur
|
|||||||
|
|
||||||
if err := c.fetchWithRetry(ctx, url, out); err != nil {
|
if err := c.fetchWithRetry(ctx, url, out); err != nil {
|
||||||
if hasStale {
|
if hasStale {
|
||||||
staleBytes, _ := json.Marshal(stale)
|
staleBytes, marshalErr := json.Marshal(stale)
|
||||||
json.Unmarshal(staleBytes, out)
|
if marshalErr == nil {
|
||||||
|
unmarshalErr := json.Unmarshal(staleBytes, out)
|
||||||
|
if unmarshalErr == nil {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
log.Printf("jikan: stale cache unmarshal failed, falling back to error: %v", err)
|
||||||
|
}
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -16,15 +16,23 @@ type visitor struct {
|
|||||||
var (
|
var (
|
||||||
visitors = make(map[string]*visitor)
|
visitors = make(map[string]*visitor)
|
||||||
mu sync.Mutex
|
mu sync.Mutex
|
||||||
|
quit = make(chan struct{})
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
go cleanupVisitors()
|
go cleanupVisitors()
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func StopCleanup() {
|
||||||
|
close(quit)
|
||||||
|
}
|
||||||
|
|
||||||
func cleanupVisitors() {
|
func cleanupVisitors() {
|
||||||
for {
|
for {
|
||||||
time.Sleep(time.Minute)
|
select {
|
||||||
|
case <-quit:
|
||||||
|
return
|
||||||
|
case <-time.After(time.Minute):
|
||||||
mu.Lock()
|
mu.Lock()
|
||||||
for ip, v := range visitors {
|
for ip, v := range visitors {
|
||||||
if time.Since(v.lastSeen) > 3*time.Minute {
|
if time.Since(v.lastSeen) > 3*time.Minute {
|
||||||
@@ -33,6 +41,7 @@ func cleanupVisitors() {
|
|||||||
}
|
}
|
||||||
mu.Unlock()
|
mu.Unlock()
|
||||||
}
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func getIP(r *http.Request) string {
|
func getIP(r *http.Request) string {
|
||||||
|
|||||||
Reference in New Issue
Block a user