Commit 86f26244 authored by Kevin Lyda's avatar Kevin Lyda
Browse files

Address some more security issues 

Add some more security scanners.  Add rate limiting.  Add folder access
checks in DIR and other places.  Sanitise posts when they're created
for both bulletin and mail.
parent 30110bed

Makefile

+4 −2
Original line number Diff line number Diff line
@@ -87,15 +87,17 @@ vet: 
	@echo "go vet passed"



lint:

	@echo "Running staticcheck..."

	@echo "Running linters..."

	go tool staticcheck ./...

	@echo "staticcheck passed"

	go tool ineffassign ./...

	@echo "linters passed"



sec: security



security:

	@echo "Running security checks with gosec..."

	go tool gosec -exclude-dir=internal/gen -quiet ./...

	go tool govulncheck ./...

	@echo "Security checks passed"



check: fmt vet lint sec test

folders/folders.go

+12 −1
Original line number Diff line number Diff line
@@ -69,7 +69,18 @@ func CreateFolder(login string, options storage.CreateFolderParams) error { 
// ListFolder provides a list of folders that this.User has access to.

func ListFolder() ([]storage.ListFolderRow, error) {

	ctx := storage.Context()

	rows, err := this.Q.ListFolder(ctx)

	if this.User.Admin == 1 {

		allRows, err := this.Q.ListFolderAll(ctx)

		if err != nil {

			return []storage.ListFolderRow{}, err

		}

		rows := make([]storage.ListFolderRow, len(allRows))

		for i, r := range allRows {

			rows[i] = storage.ListFolderRow(r)

		}

		return rows, nil

	}

	rows, err := this.Q.ListFolder(ctx, this.User.Login, this.User.Login)

	if err != nil {

		return []storage.ListFolderRow{}, err

	}

folders/messages.go

+3 −0
Original line number Diff line number Diff line
@@ -7,6 +7,7 @@ import ( 
	"time"

	"unsafe"



	"git.lyda.ie/pp/bulletin/pager"

	"git.lyda.ie/pp/bulletin/storage"

	"git.lyda.ie/pp/bulletin/this"

)
@@ -30,6 +31,8 @@ func ValidateMessageSize(subject, message string) error { 


// CreateMessage creates a new message.

func CreateMessage(author, subject, message, folder string, permanent, system, shutdown int, expiration *time.Time) error {

	subject = pager.SanitizeText(subject)

	message = pager.SanitizeText(message)

	if err := ValidateMessageSize(subject, message); err != nil {

		return err

	}

go.mod

+6 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ require ( 
	golang.org/x/crypto v0.48.0

	golang.org/x/sys v0.41.0

	golang.org/x/term v0.40.0

	golang.org/x/time v0.12.0

	modernc.org/sqlite v1.46.0

)
@@ -52,6 +53,7 @@ require ( 
	github.com/googleapis/enterprise-certificate-proxy v0.3.6 // indirect

	github.com/googleapis/gax-go/v2 v2.15.0 // indirect

	github.com/gookit/color v1.6.0 // indirect

	github.com/gordonklaus/ineffassign v0.2.0 // indirect

	github.com/gorilla/websocket v1.5.3 // indirect

	github.com/hashicorp/errwrap v1.1.0 // indirect

	github.com/hashicorp/go-multierror v1.1.1 // indirect
@@ -106,8 +108,10 @@ require ( 
	golang.org/x/net v0.50.0 // indirect

	golang.org/x/pkgsite v0.0.0-20260212172942-ce44214c045b // indirect

	golang.org/x/sync v0.19.0 // indirect

	golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 // indirect

	golang.org/x/text v0.34.0 // indirect

	golang.org/x/tools v0.42.0 // indirect

	golang.org/x/vuln v1.1.4 // indirect

	google.golang.org/genai v1.45.0 // indirect

	google.golang.org/genproto/googleapis/api v0.0.0-20250818200422-3122310a409c // indirect

	google.golang.org/genproto/googleapis/rpc v0.0.0-20250818200422-3122310a409c // indirect
@@ -125,10 +129,12 @@ require ( 
)



tool (

	github.com/gordonklaus/ineffassign

	github.com/mibk/dupl

	github.com/securego/gosec/v2/cmd/gosec

	github.com/sqlc-dev/sqlc/cmd/sqlc

	golang.org/x/pkgsite/cmd/pkgsite

	golang.org/x/vuln/cmd/govulncheck

	gotest.tools/gotestsum

	honnef.co/go/tools/cmd/staticcheck

)

go.sum

+8 −0
Original line number Diff line number Diff line
@@ -110,6 +110,8 @@ github.com/googleapis/gax-go/v2 v2.15.0 h1:SyjDc1mGgZU5LncH8gimWo9lW1DtIfPibOG81 
github.com/googleapis/gax-go/v2 v2.15.0/go.mod h1:zVVkkxAQHa1RQpg9z2AUCMnKhi0Qld9rcmyfL1OZhoc=

github.com/gookit/color v1.6.0 h1:JjJXBTk1ETNyqyilJhkTXJYYigHG24TM9Xa2M1xAhRA=

github.com/gookit/color v1.6.0/go.mod h1:9ACFc7/1IpHGBW8RwuDm/0YEnhg3dwwXpoMsmtyHfjs=

github.com/gordonklaus/ineffassign v0.2.0 h1:Uths4KnmwxNJNzq87fwQQDDnbNb7De00VOk9Nu0TySs=

github.com/gordonklaus/ineffassign v0.2.0/go.mod h1:TIpymnagPSexySzs7F9FnO1XFTy8IT3a59vmZp5Y9Lw=

github.com/gorilla/websocket v1.5.3 h1:saDtZ6Pbx/0u+bgYQ3q96pZgCzfhKXGPqt7kZ72aNNg=

github.com/gorilla/websocket v1.5.3/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=

github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
@@ -372,6 +374,8 @@ golang.org/x/sys v0.39.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks= 
golang.org/x/sys v0.41.0 h1:Ivj+2Cp/ylzLiEU89QhWblYnOE9zerudt9Ftecq2C6k=

golang.org/x/sys v0.41.0/go.mod h1:OgkHotnGiDImocRcuBABYBEXf8A9a87e/uXjp9XT3ks=

golang.org/x/telemetry v0.0.0-20240228155512-f48c80bd79b2/go.mod h1:TeRTkGYfJXctD9OcfyVLyj2J3IxLnKwHJR8f4D8a3YE=

golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4 h1:bTLqdHv7xrGlFbvf5/TXNxy/iUwwdkjhqQTJDjW7aj0=

golang.org/x/telemetry v0.0.0-20260209163413-e7419c687ee4/go.mod h1:g5NllXBEermZrmR51cJDQxmJUHUOfRAaNyWBM+R+548=

golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=

golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
@@ -401,6 +405,8 @@ golang.org/x/text v0.32.0 h1:ZD01bjUt1FQ9WJ0ClOL5vxgxOI/sVCNgX1YtKwcY0mU= 
golang.org/x/text v0.32.0/go.mod h1:o/rUWzghvpD5TXrTIBuJU77MTaN0ljMWE47kxGJQ7jY=

golang.org/x/text v0.34.0 h1:oL/Qq0Kdaqxa1KbNeMKwQq0reLCCaFtqu2eNuSeNHbk=

golang.org/x/text v0.34.0/go.mod h1:homfLqTYRFyVYemLBFl5GgL/DWEiH5wcsQ5gSh1yziA=

golang.org/x/time v0.12.0 h1:ScB/8o8olJvc+CQPWrK3fPZNfh7qgwCrY0zJmoEQLSE=

golang.org/x/time v0.12.0/go.mod h1:CDIdPxbZBQxdj6cxyCIdrNogrJKMJ7pr37NYpMcMDSg=

golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=

golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=

golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
@@ -418,6 +424,8 @@ golang.org/x/tools v0.41.0 h1:a9b8iMweWG+S0OBnlU36rzLp20z1Rp10w+IY2czHTQc= 
golang.org/x/tools v0.41.0/go.mod h1:XSY6eDqxVNiYgezAVqqCeihT4j1U2CCsqvH3WhQpnlg=

golang.org/x/tools v0.42.0 h1:uNgphsn75Tdz5Ji2q36v/nsFSfR/9BRFvqhGBaJGd5k=

golang.org/x/tools v0.42.0/go.mod h1:Ma6lCIwGZvHK6XtgbswSoWroEkhugApmsXyrUmBhfr0=

golang.org/x/vuln v1.1.4 h1:Ju8QsuyhX3Hk8ma3CesTbO8vfJD9EvUBgHvkxHBzj0I=

golang.org/x/vuln v1.1.4/go.mod h1:F+45wmU18ym/ca5PLTPLsSzr2KppzswxPP603ldA67s=

golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

google.golang.org/genai v1.45.0 h1:s80ZpS42XW0zu/ogiOtenCio17nJ7reEFJjoCftukpA=