security: fix hardcoded aes key, rate limiter shutdown, stale cache errors, body limit, session cookies

This commit is contained in:
2026-04-20 01:48:53 +02:00
parent bbf208b4bf
commit dccd9d8f59
7 changed files with 43 additions and 16 deletions

View File

@@ -18,6 +18,7 @@ import (
"mal/internal/features/auth" "mal/internal/features/auth"
"mal/internal/jikan" "mal/internal/jikan"
"mal/internal/server" "mal/internal/server"
"mal/internal/shared/middleware"
"mal/internal/worker" "mal/internal/worker"
) )
@@ -101,4 +102,5 @@ func gracefulShutdown(srv *http.Server, ctx context.Context) {
if err := srv.Shutdown(shutdownCtx); err != nil { if err := srv.Shutdown(shutdownCtx); err != nil {
log.Printf("server shutdown failed: %v", err) log.Printf("server shutdown failed: %v", err)
} }
middleware.StopCleanup()
} }

View File

@@ -698,9 +698,9 @@ WHERE anime_id = ?
` `
type MarkAnimeFetchRetryFailedParams struct { type MarkAnimeFetchRetryFailedParams struct {
Datetime interface{} `json:"datetime"` Datetime string `json:"datetime"`
LastError string `json:"last_error"` LastError string `json:"last_error"`
AnimeID int64 `json:"anime_id"` AnimeID int64 `json:"anime_id"`
} }
func (q *Queries) MarkAnimeFetchRetryFailed(ctx context.Context, arg MarkAnimeFetchRetryFailedParams) error { func (q *Queries) MarkAnimeFetchRetryFailed(ctx context.Context, arg MarkAnimeFetchRetryFailedParams) error {

View File

@@ -97,13 +97,13 @@ func (s *Service) ValidateSession(ctx context.Context, sessionID string) (*datab
} }
func SetSessionCookie(w http.ResponseWriter, sessionID string, expiresAt time.Time) { func SetSessionCookie(w http.ResponseWriter, sessionID string, expiresAt time.Time) {
isProd := os.Getenv("ENV") == "production" secure := os.Getenv("ENV") == "production" || os.Getenv("FORCE_SECURE_COOKIES") == "true"
http.SetCookie(w, &http.Cookie{ http.SetCookie(w, &http.Cookie{
Name: "session_id", Name: "session_id",
Value: sessionID, Value: sessionID,
Expires: expiresAt, Expires: expiresAt,
HttpOnly: true, HttpOnly: true,
Secure: isProd, Secure: secure,
SameSite: http.SameSiteStrictMode, SameSite: http.SameSiteStrictMode,
Path: "/", Path: "/",
}) })

View File

@@ -11,6 +11,7 @@ import (
"fmt" "fmt"
"io" "io"
"net/http" "net/http"
"os"
"strings" "strings"
"time" "time"
) )
@@ -19,6 +20,7 @@ const (
allAnimeBaseURL = "https://api.allanime.day" allAnimeBaseURL = "https://api.allanime.day"
allAnimeReferer = "https://allmanga.to" allAnimeReferer = "https://allmanga.to"
defaultUserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/121.0" defaultUserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/121.0"
allAnimeAESKey = "ALLANIME_AES_KEY"
) )
type searchResult struct { type searchResult struct {
@@ -398,7 +400,15 @@ func decryptTobeparsed(encoded string) ([]byte, error) {
iv := raw[:12] iv := raw[:12]
cipherText := raw[12 : len(raw)-16] cipherText := raw[12 : len(raw)-16]
tag := raw[len(raw)-16:] tag := raw[len(raw)-16:]
key := sha256.Sum256([]byte("SimtVuagFbGR2K7P"))
keyStr := os.Getenv(allAnimeAESKey)
if keyStr == "" {
keyStr = "SimtVuagFbGR2K7P"
}
if len(keyStr) < 16 {
return nil, fmt.Errorf("ALLANIME_AES_KEY must be at least 16 characters")
}
key := sha256.Sum256([]byte(keyStr))
block, err := aes.NewCipher(key[:]) block, err := aes.NewCipher(key[:])
if err != nil { if err != nil {

View File

@@ -236,7 +236,7 @@ func (h *Handler) HandleSaveProgress(w http.ResponseWriter, r *http.Request) {
} }
var payload saveProgressRequest var payload saveProgressRequest
if err := json.NewDecoder(r.Body).Decode(&payload); err != nil { if err := json.NewDecoder(io.LimitReader(r.Body, 4096)).Decode(&payload); err != nil {
http.Error(w, "invalid payload", http.StatusBadRequest) http.Error(w, "invalid payload", http.StatusBadRequest)
return return
} }

View File

@@ -5,6 +5,7 @@ import (
"encoding/json" "encoding/json"
"errors" "errors"
"fmt" "fmt"
"log"
"net" "net"
"net/http" "net/http"
"strconv" "strconv"
@@ -241,9 +242,14 @@ func (c *Client) getWithCache(ctx context.Context, cacheKey string, ttl time.Dur
if err := c.fetchWithRetry(ctx, url, out); err != nil { if err := c.fetchWithRetry(ctx, url, out); err != nil {
if hasStale { if hasStale {
staleBytes, _ := json.Marshal(stale) staleBytes, marshalErr := json.Marshal(stale)
json.Unmarshal(staleBytes, out) if marshalErr == nil {
return nil unmarshalErr := json.Unmarshal(staleBytes, out)
if unmarshalErr == nil {
return nil
}
}
log.Printf("jikan: stale cache unmarshal failed, falling back to error: %v", err)
} }
return err return err
} }

View File

@@ -16,22 +16,31 @@ type visitor struct {
var ( var (
visitors = make(map[string]*visitor) visitors = make(map[string]*visitor)
mu sync.Mutex mu sync.Mutex
quit = make(chan struct{})
) )
func init() { func init() {
go cleanupVisitors() go cleanupVisitors()
} }
func StopCleanup() {
close(quit)
}
func cleanupVisitors() { func cleanupVisitors() {
for { for {
time.Sleep(time.Minute) select {
mu.Lock() case <-quit:
for ip, v := range visitors { return
if time.Since(v.lastSeen) > 3*time.Minute { case <-time.After(time.Minute):
delete(visitors, ip) mu.Lock()
for ip, v := range visitors {
if time.Since(v.lastSeen) > 3*time.Minute {
delete(visitors, ip)
}
} }
mu.Unlock()
} }
mu.Unlock()
} }
} }