fix(security): close XFF bypass and three secret-leak paths
Four fixes hardening the secrets and rate-limit posture a prior audit left or that regressed: X-Forwarded-For rate-limit bypass + memory DoS (ratelimit.go): clientIP returned the raw XFF header, so an attacker rotating it minted unlimited distinct limiter keys — never tripping the limit and growing the visitors map without bound. XFF is now honored only when the immediate peer is a configured trusted proxy (UPTOP_TRUSTED_PROXIES, CIDRs or bare IPs), using the right-most non-trusted hop; otherwise the key is the real RemoteAddr. The visitors map is bounded with LRU eviction as defense in depth. Export redaction denylist -> per-provider allowlist (server.go): the old six-key denylist missed the actual credentials — the webhook URL for discord/slack/webhook/ntfy/gotify and api_key for opsgenie — exporting them in the clear. redactByProvider keeps only known-safe keys per provider type and redacts everything else, so unknown/new keys fail safe. ImportData plaintext secrets (sqlstore.go): import inserted raw json.Marshal(settings), bypassing the encryption AddAlert/UpdateAlert use. It now routes through marshalSettings, so a restore with UPTOP_ENCRYPTION_KEY set stores enc:-prefixed ciphertext, not plaintext. Alert error credential leak (alert.go): provider Send returned the raw *url.Error, whose URL carries the secret (Telegram bot token in the path, webhook secrets in the URL); it was persisted to AlertHealth.LastError and shown in the TUI. sanitizeError strips the URL, keeping the operation and underlying cause. Tests cover trusted/untrusted XFF + spoofed-bypass + map bound, the allowlist per provider, encrypted-on-import round-trip, and URL-stripped errors. README documents UPTOP_TRUSTED_PROXIES. Full suite green under -race; golangci-lint clean.
This commit was merged in pull request #100.
This commit is contained in:
@@ -3,8 +3,11 @@ package alert
|
||||
import (
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"net/http"
|
||||
"net/http/httptest"
|
||||
"net/url"
|
||||
"strings"
|
||||
"testing"
|
||||
|
||||
"gitea.lerkolabs.com/lerkolabs/uptop/internal/models"
|
||||
@@ -298,3 +301,32 @@ func TestSanitizeHeader(t *testing.T) {
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
// sanitizeError must strip the credential-bearing URL from a *url.Error while
|
||||
// keeping the operation and underlying cause.
|
||||
func TestSanitizeError(t *testing.T) {
|
||||
urlErr := &url.Error{
|
||||
Op: "Post",
|
||||
URL: "https://api.telegram.org/bot123456:SECRET_TOKEN/sendMessage",
|
||||
Err: errors.New("dial tcp: connection refused"),
|
||||
}
|
||||
got := sanitizeError(urlErr).Error()
|
||||
|
||||
for _, leak := range []string{"SECRET_TOKEN", "api.telegram.org", "sendMessage", "bot123456"} {
|
||||
if strings.Contains(got, leak) {
|
||||
t.Errorf("sanitized error leaked %q: %s", leak, got)
|
||||
}
|
||||
}
|
||||
if !strings.Contains(got, "connection refused") {
|
||||
t.Errorf("expected underlying cause preserved, got: %s", got)
|
||||
}
|
||||
|
||||
// Non-url errors pass through unchanged.
|
||||
plain := errors.New("plain failure")
|
||||
if sanitizeError(plain).Error() != "plain failure" {
|
||||
t.Errorf("non-url error altered: %s", sanitizeError(plain))
|
||||
}
|
||||
if sanitizeError(nil) != nil {
|
||||
t.Error("nil should stay nil")
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user