Fix medium-severity audit findings across all modules#12
Merged
Conversation
…erface - QueryOr: parse query string once instead of per-call - HTMLTemplate: buffer template execution to prevent partial writes on error - Add Rehashable interface for hash algorithm migration support
- Reject patterns containing '..' segments to prevent path traversal - Panic on empty method in Handle() to catch misuse early - Add concurrency safety documentation for router registration
…boundary matching - Ensure deterministic JSON field order (type, status, title, detail, instance, extensions) - Support */* wildcard in Accept header content negotiation - Fix media type matching to respect slash boundaries
- Pass request context (not background) to hooks in handleError - Change DefaultServerOptions to function to prevent global mutation - Add panic recovery in Before* hook callbacks on ResponseWriter
…r, and secure headers - CORS: add Vary headers for cacheability, handle preflight consistently - Logger: log URL path only to prevent token leakage in query strings - Rate limiter: respect context cancellation for graceful shutdown - Recover: capture stack traces for debugging - Secure headers: remove deprecated X-XSS-Protection header
…sistence - Check MaxLifetime during load to reject expired sessions - Set sensible MaxLifetime default (24h) when zero - Fix Secure cookie flag to use r.TLS instead of request scheme - Use context.WithoutCancel for session persistence after response
…d add docs - Remove unnecessary mutex from entry struct (outer map lock suffices) - Add docs warning about reference poisoning with pointer values - Discriminate cache miss vs computation error in Remember - Add Redis increment overflow documentation
…y zeroing - Add ErrEncrypterClosed sentinel error for use-after-close detection - Make Close() idempotent by checking for nil AEAD - Use clear() builtin for key zeroing instead of manual loop - Add runtime.KeepAlive to prevent premature garbage collection - Document nonce size limits and AAD usage
… zeroing - Export BcryptOptions.Cost field for external configuration - Document bcrypt 72-byte password truncation behavior - Use clear() builtin for byte slice zeroing with KeepAlive - Add NeedsRehash to Argon2 for algorithm migration support - Document argon2 input mutation of password slice
…x sqlTx Close - Use db.QueryContext/ExecContext directly instead of Prepare+Execute - Document connection pool configuration recommendations - Make sqlTx.Close() a no-op instead of closing underlying connection - Add comprehensive test suite with 14 tests using sqlite3
…rd semantics - Extract validateEvent helper to deduplicate validation across all brokers - Document wildcard event matching semantics for each broker - Ensure consistent empty/whitespace event name rejection
Add mattn/go-sqlite3 for database integration tests.
…udit-findings # Conflicts: # framework/database/sql.go # framework/database/sql_test.go # framework/hooks_writer_test.go # framework/middleware/cors_test.go # framework/middleware/rate_limit.go # framework/middleware/rate_limit_test.go # framework/session/middleware.go # router/router_test.go
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Third and final tier of fixes from the comprehensive security and quality audit of all Cosmos modules. This PR addresses all 42 medium-severity findings (M1–M42) across every module and subpackage.
Contract (M1–M3, M36)
QueryOr: parse query string once instead of per-call to reduce allocationsHTMLTemplate: buffer template execution to prevent partial response writes on errorRehashableinterface for hash algorithm migration supportRouter (M4–M6)
..segments to prevent path traversalHandle()to catch misuse earlyProblem (M7–M9)
*/*wildcard in Accept header content negotiationFramework Core (M10–M12)
handleErrorDefaultServerOptionsto function to prevent global state mutationBefore*hook callbacks onResponseWriterMiddleware (M13–M18)
Varyheaders for cacheability, handle preflight consistentlyX-XSS-ProtectionheaderSession (M19–M22)
MaxLifetimeduring load to reject expired sessionsMaxLifetimedefault (24h) when zero valueSecurecookie flag to user.TLSinstead of request schemecontext.WithoutCancelfor session persistence after responseCache (M23–M27)
RememberCrypto (M28–M32)
ErrEncrypterClosedsentinel error for use-after-close detectionClose()idempotent by checking for nil AEADclear()builtin for key zeroing instead of manual loopruntime.KeepAliveto prevent premature garbage collectionHash (M33–M37)
BcryptOptions.Costfield for external configurationclear()builtin for byte slice zeroing withKeepAliveNeedsRehashto Argon2 for algorithm migration supportDatabase (M38–M40)
db.QueryContext/ExecContextdirectly instead ofPrepare+ExecutesqlTx.Close()a no-op instead of closing underlying connectionEvent (M41–M42)
validateEventhelper to deduplicate validation across all brokersBreaking Changes
DefaultServerOptionsis now a functionWhat changed:
DefaultServerOptionschanged fromvar ServerOptionstofunc DefaultServerOptions() ServerOptionsMigration:
Why: Prevents global state mutation where one caller modifying the variable affects all subsequent callers.
CORS panics on
AllowCredentials: truewith wildcard originsWhat changed: (from high-severity PR)
CORSmiddleware now panics at startup ifAllowCredentials: truewith wildcard*origin.BcryptOptions.Costis now exportedWhat changed:
costfield renamed toCostfor external configuration.Migration: If constructing
BcryptOptionswith struct literal, renamecost→Cost.Why: Allows users to configure bcrypt cost without using option functions.