Merge remote-tracking branch 'origin/main' into fix/medium-severity-audit-findings

# Conflicts:
#	framework/database/sql.go
#	framework/database/sql_test.go
#	framework/hooks_writer_test.go
#	framework/middleware/cors_test.go
#	framework/middleware/rate_limit.go
#	framework/middleware/rate_limit_test.go
#	framework/session/middleware.go
#	router/router_test.go

Author: ConsoleTVs

contract/request/body.go

@@ -1,12 +1,19 @@
 package request
 
 import (
+	"bytes"
 	"encoding/json"
 	"encoding/xml"
+	"errors"
 	"io"
 	"net/http"
 )
 
+// ErrBodyTooLarge is returned when the request body exceeds
+// the maximum allowed size. Callers can check for this error
+// using [errors.Is].
+var ErrBodyTooLarge = errors.New("request body too large")
+
 // DefaultMaxBodySize is the default maximum request body size
 // (10 MB) used by the size-limited body reading functions.
 // This prevents denial-of-service attacks via excessively
@@ -24,16 +31,26 @@ func Bytes(r *http.Request) ([]byte, error) {
 }
 
 // LimitedBytes reads the request body up to maxSize bytes and
-// returns it as a byte slice. If the body exceeds maxSize, an
-// error is returned. This prevents denial-of-service attacks via
-// excessively large request bodies. Pass -1 to use
+// returns it as a byte slice. If the body exceeds maxSize,
+// [ErrBodyTooLarge] is returned. This prevents denial-of-service
+// attacks via excessively large request bodies. Pass -1 to use
 // [DefaultMaxBodySize].
 func LimitedBytes(r *http.Request, maxSize int64) ([]byte, error) {
 	if maxSize < 0 {
 		maxSize = DefaultMaxBodySize
 	}
 
-	return io.ReadAll(io.LimitReader(r.Body, maxSize+1))
+	data, err := io.ReadAll(io.LimitReader(r.Body, maxSize+1))
+
+	if err != nil {
+		return nil, err
+	}
+
+	if int64(len(data)) > maxSize {
+		return nil, ErrBodyTooLarge
+	}
+
+	return data, nil
 }
 
 // String reads the request body and returns it as a string.
@@ -54,8 +71,8 @@ func String(r *http.Request) (string, error) {
 }
 
 // LimitedString reads the request body up to maxSize bytes and
-// returns it as a string. If the body exceeds maxSize, the result
-// is truncated. Pass -1 to use [DefaultMaxBodySize].
+// returns it as a string. If the body exceeds maxSize,
+// [ErrBodyTooLarge] is returned. Pass -1 to use [DefaultMaxBodySize].
 func LimitedString(r *http.Request, maxSize int64) (string, error) {
 	body, err := LimitedBytes(r, maxSize)
 
@@ -106,17 +123,26 @@ func StrictJSON[T any](r *http.Request) (value T, err error) {
 }
 
 // LimitedJSON decodes JSON data from the request body into a value
-// of type T, reading at most maxSize bytes. This prevents
+// of type T, reading at most maxSize bytes. If the body exceeds
+// maxSize, [ErrBodyTooLarge] is returned. This prevents
 // denial-of-service attacks via oversized JSON payloads. Pass -1
 // to use [DefaultMaxBodySize].
 func LimitedJSON[T any](r *http.Request, maxSize int64) (value T, err error) {
 	if maxSize < 0 {
 		maxSize = DefaultMaxBodySize
 	}
 
-	limited := io.LimitReader(r.Body, maxSize+1)
+	data, err := io.ReadAll(io.LimitReader(r.Body, maxSize+1))
 
-	if err := json.NewDecoder(limited).Decode(&value); err != nil {
+	if err != nil {
+		return value, err
+	}
+
+	if int64(len(data)) > maxSize {
+		return value, ErrBodyTooLarge
+	}
+
+	if err := json.NewDecoder(bytes.NewReader(data)).Decode(&value); err != nil {
 		return value, err
 	}
 
@@ -125,14 +151,24 @@ func LimitedJSON[T any](r *http.Request, maxSize int64) (value T, err error) {
 
 // StrictLimitedJSON decodes JSON data from the request body into
 // a value of type T, reading at most maxSize bytes and rejecting
-// unknown fields. Pass -1 to use [DefaultMaxBodySize].
+// unknown fields. If the body exceeds maxSize, [ErrBodyTooLarge]
+// is returned. Pass -1 to use [DefaultMaxBodySize].
 func StrictLimitedJSON[T any](r *http.Request, maxSize int64) (value T, err error) {
 	if maxSize < 0 {
 		maxSize = DefaultMaxBodySize
 	}
 
-	limited := io.LimitReader(r.Body, maxSize+1)
-	decoder := json.NewDecoder(limited)
+	data, err := io.ReadAll(io.LimitReader(r.Body, maxSize+1))
+
+	if err != nil {
+		return value, err
+	}
+
+	if int64(len(data)) > maxSize {
+		return value, ErrBodyTooLarge
+	}
+
+	decoder := json.NewDecoder(bytes.NewReader(data))
 	decoder.DisallowUnknownFields()
 
 	if err := decoder.Decode(&value); err != nil {
@@ -149,6 +185,11 @@ func StrictLimitedJSON[T any](r *http.Request, maxSize int64) (value T, err erro
 // WARNING: This function decodes without any body size limit.
 // Prefer [LimitedXML] or apply [http.MaxBytesReader] in a
 // middleware to prevent memory exhaustion from oversized requests.
+//
+// WARNING: Go's [encoding/xml] does not protect against entity
+// expansion attacks (e.g. "Billion Laughs"). Callers should
+// validate or sanitize XML input before processing, or use
+// [LimitedXML] with a small size limit to bound expansion.
 func XML[T any](r *http.Request) (value T, err error) {
 	if err := xml.NewDecoder(r.Body).Decode(&value); err != nil {
 		return value, err
@@ -158,17 +199,32 @@ func XML[T any](r *http.Request) (value T, err error) {
 }
 
 // LimitedXML decodes XML data from the request body into a value
-// of type T, reading at most maxSize bytes. This prevents
+// of type T, reading at most maxSize bytes. If the body exceeds
+// maxSize, [ErrBodyTooLarge] is returned. This prevents
 // denial-of-service attacks via oversized XML payloads. Pass -1
 // to use [DefaultMaxBodySize].
+//
+// WARNING: Go's [encoding/xml] does not protect against entity
+// expansion attacks (e.g. "Billion Laughs"). Even with a small
+// maxSize, a crafted XML document may expand to significantly
+// more memory than its wire size. Callers should validate or
+// sanitize XML input before processing.
 func LimitedXML[T any](r *http.Request, maxSize int64) (value T, err error) {
 	if maxSize < 0 {
 		maxSize = DefaultMaxBodySize
 	}
 
-	limited := io.LimitReader(r.Body, maxSize+1)
+	data, err := io.ReadAll(io.LimitReader(r.Body, maxSize+1))
+
+	if err != nil {
+		return value, err
+	}
+
+	if int64(len(data)) > maxSize {
+		return value, ErrBodyTooLarge
+	}
 
-	if err := xml.NewDecoder(limited).Decode(&value); err != nil {
+	if err := xml.NewDecoder(bytes.NewReader(data)).Decode(&value); err != nil {
 		return value, err
 	}
 

contract/request/body_test.go

@@ -1,6 +1,7 @@
 package request_test
 
 import (
+	"errors"
 	"io"
 	"net/http"
 	"net/http/httptest"
@@ -38,14 +39,15 @@ func TestBytesErrorOnFailedRead(t *testing.T) {
 	require.Error(t, err)
 }
 
-func TestLimitedBytesReadsUpToLimit(t *testing.T) {
+func TestLimitedBytesReturnsErrorWhenBodyExceedsLimit(t *testing.T) {
+	t.Parallel()
+
 	body := "abcdefghij"
 	r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
 
-	result, err := request.LimitedBytes(r, 5)
+	_, err := request.LimitedBytes(r, 5)
 
-	require.NoError(t, err)
-	require.Len(t, result, 6)
+	require.ErrorIs(t, err, request.ErrBodyTooLarge)
 }
 
 func TestLimitedBytesReadsFullBodyUnderLimit(t *testing.T) {
@@ -95,14 +97,15 @@ func TestStringErrorOnFailedRead(t *testing.T) {
 	require.Error(t, err)
 }
 
-func TestLimitedStringReadsUpToLimit(t *testing.T) {
+func TestLimitedStringReturnsErrorWhenBodyExceedsLimit(t *testing.T) {
+	t.Parallel()
+
 	body := "abcdefghij"
 	r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
 
-	result, err := request.LimitedString(r, 5)
+	_, err := request.LimitedString(r, 5)
 
-	require.NoError(t, err)
-	require.Len(t, result, 6)
+	require.ErrorIs(t, err, request.ErrBodyTooLarge)
 }
 
 func TestLimitedStringReadsFullBodyUnderLimit(t *testing.T) {
@@ -415,6 +418,98 @@ func TestLimitedXMLReturnsErrorOnInvalidPayload(t *testing.T) {
 	require.Error(t, err)
 }
 
+func TestLimitedBytesReturnsDataWhenBodyWithinLimit(t *testing.T) {
+	t.Parallel()
+
+	body := "hello"
+	r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
+
+	result, err := request.LimitedBytes(r, 10)
+
+	require.NoError(t, err)
+	require.Equal(t, []byte("hello"), result)
+}
+
+func TestLimitedBytesReturnsDataWhenBodyExactlyAtLimit(t *testing.T) {
+	t.Parallel()
+
+	body := "12345"
+	r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
+
+	result, err := request.LimitedBytes(r, 5)
+
+	require.NoError(t, err)
+	require.Equal(t, []byte("12345"), result)
+}
+
+func TestLimitedStringReturnsDataWhenBodyWithinLimit(t *testing.T) {
+	t.Parallel()
+
+	body := "hello"
+	r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
+
+	result, err := request.LimitedString(r, 10)
+
+	require.NoError(t, err)
+	require.Equal(t, "hello", result)
+}
+
+func TestLimitedJSONReturnsErrorWhenBodyExceedsLimit(t *testing.T) {
+	t.Parallel()
+
+	type payload struct {
+		Name string `json:"name"`
+	}
+
+	body := `{"name":"this is a very long name that exceeds the limit"}`
+	r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
+
+	_, err := request.LimitedJSON[payload](r, 10)
+
+	require.ErrorIs(t, err, request.ErrBodyTooLarge)
+}
+
+func TestStrictLimitedJSONReturnsErrorWhenBodyExceedsLimit(t *testing.T) {
+	t.Parallel()
+
+	type payload struct {
+		Name string `json:"name"`
+	}
+
+	body := `{"name":"this is a very long name that exceeds the limit"}`
+	r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
+
+	_, err := request.StrictLimitedJSON[payload](r, 10)
+
+	require.ErrorIs(t, err, request.ErrBodyTooLarge)
+}
+
+func TestLimitedXMLReturnsErrorWhenBodyExceedsLimit(t *testing.T) {
+	t.Parallel()
+
+	type payload struct {
+		Name string `xml:"name"`
+	}
+
+	body := `<payload><name>this is a very long name that exceeds the limit</name></payload>`
+	r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
+
+	_, err := request.LimitedXML[payload](r, 10)
+
+	require.ErrorIs(t, err, request.ErrBodyTooLarge)
+}
+
+func TestErrBodyTooLargeIsCheckableWithErrorsIs(t *testing.T) {
+	t.Parallel()
+
+	body := "abcdefghij"
+	r := httptest.NewRequest(http.MethodPost, "/", strings.NewReader(body))
+
+	_, err := request.LimitedBytes(r, 5)
+
+	require.True(t, errors.Is(err, request.ErrBodyTooLarge))
+}
+
 // errReader is an io.Reader that always returns an error.
 type errReader struct{}
 

framework/cache/redis.go

@@ -2,7 +2,6 @@ package cache
 
 import (
 	"context"
-	"encoding/json"
 	"errors"
 	"time"
 
@@ -72,9 +71,9 @@ func (client *RedisClient) Has(ctx context.Context, key string) (bool, error) {
 }
 
 // Pull atomically retrieves and deletes a key using Redis GETDEL.
-// The stored value is JSON-decoded into the return value.
-func (client *RedisClient) Pull(ctx context.Context, key string) (value any, err error) {
-	encoded, err := (*redis.Client)(client).GetDel(ctx, key).Result()
+// Returns contract.ErrCacheKeyNotFound when the key does not exist.
+func (client *RedisClient) Pull(ctx context.Context, key string) (any, error) {
+	value, err := (*redis.Client)(client).GetDel(ctx, key).Result()
 
 	if errors.Is(err, redis.Nil) {
 		return nil, contract.ErrCacheKeyNotFound
@@ -84,10 +83,6 @@ func (client *RedisClient) Pull(ctx context.Context, key string) (value any, err
 		return nil, err
 	}
 
-	if err := json.Unmarshal([]byte(encoded), &value); err != nil {
-		return nil, err
-	}
-
 	return value, nil
 }
 

framework/database/sql.go

@@ -178,7 +178,10 @@ func (database *SQL) FindNamed(ctx context.Context, query string, dest any, arg
 // original error and any rollback error are joined. If fn succeeds,
 // the transaction is committed. Nested transactions are not supported
 // and return contract.ErrDatabaseNestedTransaction.
-func (database *SQL) WithTransaction(ctx context.Context, fn func(tx contract.Database) error) error {
+//
+// If fn panics, the transaction is rolled back before the panic is
+// re-raised, preventing connection pool leaks.
+func (database *SQL) WithTransaction(ctx context.Context, fn func(tx contract.Database) error) (retErr error) {
 	if _, ok := database.db.(*sqlx.Tx); ok {
 		return contract.ErrDatabaseNestedTransaction
 	}
@@ -189,10 +192,23 @@ func (database *SQL) WithTransaction(ctx context.Context, fn func(tx contract.Da
 		return err
 	}
 
+	defer func() {
+		if p := recover(); p != nil {
+			_ = tx.Rollback()
+			panic(p)
+		}
+
+		if retErr != nil {
+			retErr = errors.Join(retErr, tx.Rollback())
+		}
+	}()
+
 	txWrapper := &sqlTx{SQL{db: tx, raw: database.raw}}
 
 	if err := fn(txWrapper); err != nil {
-		return errors.Join(err, tx.Rollback())
+		retErr = err
+
+		return
 	}
 
 	return tx.Commit()