Merge pull request #3 from StudioLambda/fix/critical-security-vulnerabilities

Fix critical security vulnerabilities (XSS, resource leak, OOM)

Author: ConsoleTVs

contract/request/body.go

@@ -7,15 +7,42 @@ import (
 	"net/http"
 )
 
+// DefaultMaxBodySize is the default maximum request body size
+// (10 MB) used by the size-limited body reading functions.
+// This prevents denial-of-service attacks via excessively
+// large request bodies that could exhaust server memory.
+const DefaultMaxBodySize int64 = 10 << 20 // 10 MB
+
 // Bytes reads the entire request body and returns it as a byte slice.
 // The request body is consumed after this call and cannot be read again.
+//
+// WARNING: This function reads the body without any size limit.
+// Prefer [LimitedBytes] or apply [http.MaxBytesReader] in a
+// middleware to prevent memory exhaustion from oversized requests.
 func Bytes(r *http.Request) ([]byte, error) {
 	return io.ReadAll(r.Body)
 }
 
+// LimitedBytes reads the request body up to maxSize bytes and
+// returns it as a byte slice. If the body exceeds maxSize, an
+// error is returned. This prevents denial-of-service attacks via
+// excessively large request bodies. Pass -1 to use
+// [DefaultMaxBodySize].
+func LimitedBytes(r *http.Request, maxSize int64) ([]byte, error) {
+	if maxSize < 0 {
+		maxSize = DefaultMaxBodySize
+	}
+
+	return io.ReadAll(io.LimitReader(r.Body, maxSize+1))
+}
+
 // String reads the request body and returns it as a string.
 // It uses [Bytes] internally. The request body is consumed
 // after this call and cannot be read again.
+//
+// WARNING: This function reads the body without any size limit.
+// Prefer [LimitedString] or apply [http.MaxBytesReader] in a
+// middleware to prevent memory exhaustion from oversized requests.
 func String(r *http.Request) (string, error) {
 	b, err := Bytes(r)
 
@@ -26,9 +53,26 @@ func String(r *http.Request) (string, error) {
 	return string(b), nil
 }
 
+// LimitedString reads the request body up to maxSize bytes and
+// returns it as a string. If the body exceeds maxSize, the result
+// is truncated. Pass -1 to use [DefaultMaxBodySize].
+func LimitedString(r *http.Request, maxSize int64) (string, error) {
+	b, err := LimitedBytes(r, maxSize)
+
+	if err != nil {
+		return "", err
+	}
+
+	return string(b), nil
+}
+
 // JSON decodes JSON data from the request body into a value of type T.
 // It uses a streaming decoder for memory efficiency. The type parameter
 // T should match the expected JSON structure.
+//
+// WARNING: This function decodes without any body size limit.
+// Prefer [LimitedJSON] or apply [http.MaxBytesReader] in a
+// middleware to prevent memory exhaustion from oversized requests.
 func JSON[T any](r *http.Request) (value T, err error) {
 	if err := json.NewDecoder(r.Body).Decode(&value); err != nil {
 		return value, err
@@ -37,13 +81,53 @@ func JSON[T any](r *http.Request) (value T, err error) {
 	return value, nil
 }
 
+// LimitedJSON decodes JSON data from the request body into a value
+// of type T, reading at most maxSize bytes. This prevents
+// denial-of-service attacks via oversized JSON payloads. Pass -1
+// to use [DefaultMaxBodySize].
+func LimitedJSON[T any](r *http.Request, maxSize int64) (value T, err error) {
+	if maxSize < 0 {
+		maxSize = DefaultMaxBodySize
+	}
+
+	limited := io.LimitReader(r.Body, maxSize+1)
+
+	if err := json.NewDecoder(limited).Decode(&value); err != nil {
+		return value, err
+	}
+
+	return value, nil
+}
+
 // XML decodes XML data from the request body into a value of type T.
 // It uses a streaming decoder for memory efficiency. The type parameter
 // T should have appropriate xml struct tags or implement [xml.Unmarshaler].
+//
+// WARNING: This function decodes without any body size limit.
+// Prefer [LimitedXML] or apply [http.MaxBytesReader] in a
+// middleware to prevent memory exhaustion from oversized requests.
 func XML[T any](r *http.Request) (value T, err error) {
 	if err := xml.NewDecoder(r.Body).Decode(&value); err != nil {
 		return value, err
 	}
 
 	return value, nil
 }
+
+// LimitedXML decodes XML data from the request body into a value
+// of type T, reading at most maxSize bytes. This prevents
+// denial-of-service attacks via oversized XML payloads. Pass -1
+// to use [DefaultMaxBodySize].
+func LimitedXML[T any](r *http.Request, maxSize int64) (value T, err error) {
+	if maxSize < 0 {
+		maxSize = DefaultMaxBodySize
+	}
+
+	limited := io.LimitReader(r.Body, maxSize+1)
+
+	if err := xml.NewDecoder(limited).Decode(&value); err != nil {
+		return value, err
+	}
+
+	return value, nil
+}

contract/response/static.go

@@ -3,6 +3,7 @@ package response
 import (
 	"encoding/json"
 	"encoding/xml"
+	htmltemplate "html/template"
 	"net/http"
 	"text/template"
 )
@@ -93,23 +94,24 @@ func StringTemplate(w http.ResponseWriter, status int, tmpl template.Template, d
 //   - status: The HTTP status code to set
 //   - data: The HTML string to write to the response
 func HTML(w http.ResponseWriter, status int, data string) error {
-	w.Header().Set("Content-Type", "text/html")
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 
 	return Raw(w, status, []byte(data))
 }
 
 // HTMLTemplate executes an HTML template with the provided data and writes
 // the result as HTML to the response writer. The Content-Type is set to
-// text/html. This is the standard way to serve dynamic HTML pages in web
-// applications using Go's html/template package.
+// text/html; charset=utf-8. This is the standard way to serve dynamic
+// HTML pages in web applications using Go's html/template package, which
+// provides context-aware escaping to prevent XSS attacks.
 //
 // Parameters:
 //   - w: The HTTP response writer
 //   - status: The HTTP status code to set (note: this is set after template execution)
-//   - tmpl: The HTML template to execute
+//   - tmpl: The HTML template to execute (must be html/template for XSS safety)
 //   - data: The data to pass to the template for execution
-func HTMLTemplate(w http.ResponseWriter, status int, tmpl template.Template, data any) error {
-	w.Header().Set("Content-Type", "text/html")
+func HTMLTemplate(w http.ResponseWriter, status int, tmpl htmltemplate.Template, data any) error {
+	w.Header().Set("Content-Type", "text/html; charset=utf-8")
 	w.WriteHeader(status)
 
 	return tmpl.Execute(w, data)

framework/database/sql.go

@@ -61,6 +61,8 @@ func (database *SQL) Exec(ctx context.Context, query string, args ...any) (int64
 		return 0, err
 	}
 
+	defer q.Close()
+
 	result, err := q.ExecContext(ctx, args...)
 
 	if err != nil {
@@ -79,6 +81,8 @@ func (database *SQL) ExecNamed(ctx context.Context, query string, arg any) (int6
 		return 0, err
 	}
 
+	defer q.Close()
+
 	result, err := q.ExecContext(ctx, arg)
 
 	if err != nil {
@@ -97,6 +101,8 @@ func (database *SQL) Select(ctx context.Context, query string, dest any, args ..
 		return err
 	}
 
+	defer q.Close()
+
 	return q.Select(dest, args...)
 }
 
@@ -110,6 +116,8 @@ func (database *SQL) SelectNamed(ctx context.Context, query string, dest any, ar
 		return err
 	}
 
+	defer q.Close()
+
 	return q.Select(dest, arg)
 }
 
@@ -123,6 +131,8 @@ func (database *SQL) Find(ctx context.Context, query string, dest any, args ...a
 		return err
 	}
 
+	defer q.Close()
+
 	if err := q.GetContext(ctx, dest, args...); err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return errors.Join(err, contract.ErrDatabaseNoRows)
@@ -144,6 +154,8 @@ func (database *SQL) FindNamed(ctx context.Context, query string, dest any, arg
 		return err
 	}
 
+	defer q.Close()
+
 	return q.GetContext(ctx, dest, arg)
 }