codeskyblue · abesnier · Apr 13, 2026 · Apr 13, 2026 · Apr 13, 2026 · Apr 14, 2026
diff --git a/assets/index.html b/assets/index.html
@@ -284,6 +284,7 @@ <h4 class="modal-title">
     var META = document.getElementsByTagName("meta");
     META[2]["content"]=$('.navbar').css('border-color');
   </script>
+  <!--  Disable Google Analytics completely
   [[if .GoogleTrackerID ]]
   <script>
     (function (i, s, o, g, r, a, m) {
@@ -301,6 +302,7 @@ <h4 class="modal-title">
     ga('create', '[[.GoogleTrackerID]]', 'auto');
     ga('send', 'pageview');
   </script> [[ end ]]
+  -->
 </body>
 
 </html>
diff --git a/httpstaticserver.go b/httpstaticserver.go
@@ -636,7 +636,9 @@ func (s *HTTPStaticServer) hJSONList(w http.ResponseWriter, r *http.Request) {
 
 	data, _ := json.Marshal(map[string]interface{}{
 		"files": lrs,
-		"auth":  auth,
+		// Remove auth info for security reason, that prevents .ghs.yml to be fully sent to a user that would ask for ?json=true
+		// See https://github.com/codeskyblue/gohttpserver/issues/231
+		//"auth":  auth,
 	})
 	w.Header().Set("Content-Type", "application/json")
 	w.Write(data)

diff --git a/openid-login.go b/openid-login.go
@@ -1,21 +1,35 @@
 package main
 
 import (
+	"crypto/rand"
 	"encoding/gob"
 	"encoding/json"
 	"io"
 	"log"
 	"net/http"
+	"os"
 	"strings"
 
 	openid "github.com/codeskyblue/openid-go"
 	"github.com/gorilla/sessions"
 )
 
+func newSessionSecret() []byte {
+	if s := os.Getenv("GHS_SESSION_SECRET"); s != "" {
+		return []byte(s)
+	}
+	log.Println("WARNING: GHS_SESSION_SECRET not set; generating a random session key. Sessions will not survive restarts.")
+	key := make([]byte, 32)
+	if _, err := rand.Read(key); err != nil {
+		log.Fatal("failed to generate random session secret:", err)
+	}
+	return key
+}
+
 var (
 	nonceStore         = openid.NewSimpleNonceStore()
 	discoveryCache     = openid.NewSimpleDiscoveryCache()
-	store              = sessions.NewCookieStore([]byte("something-very-secret"))
+	store              = sessions.NewCookieStore(newSessionSecret())
 	defaultSessionName = "ghs-session"
 )
 

diff --git a/zip.go b/zip.go
@@ -142,6 +142,10 @@ func unzipFile(filename, dest string) error {
 	if dest == "" {
 		dest = filepath.Dir(filename)
 	}
+	dest, err = filepath.Abs(dest)
+	if err != nil {
+		return err
+	}
 
 	for _, f := range zr.File {
 		rc, err := f.Open()
@@ -167,6 +171,15 @@ func unzipFile(filename, dest string) error {
 			}
 		}
 
+		// Zip Slip protection: ensure the resolved path stays within dest
+		resolvedPath, err := filepath.Abs(fpath)
+		if err != nil {
+			return fmt.Errorf("invalid path %q: %w", fpath, err)
+		}
+		if !strings.HasPrefix(resolvedPath, dest+string(os.PathSeparator)) && resolvedPath != dest {
+			return fmt.Errorf("illegal file path in zip: %q escapes destination directory", f.Name)
+		}
+
 		if f.FileInfo().IsDir() {
 			os.MkdirAll(fpath, os.ModePerm)
 			continue