24596576498
84%
master: 84%

Ran 18 Apr 2026 04:12AM UTC

Jobs 1

Files 50

Run time 1min

Badge

Embed ▾

Committed 18 Apr 2026 04:09AM UTC coverage: 84.365% (+0.02%) from 84.345%

Build # 24596576498

Build Type

Pull #2045

github

Committed by

paskal

Commit Message

fix(api): reject control characters in /picture URL segments

Address PR #2045 review feedback (Copilot #2045-1). The previous
safePictureSegment allowed CR/LF/TAB through, so a request such as
GET /api/v1/picture/dev%0Auser/abc.png would inject literal newlines
into the access log line ("GET - /api/v1/picture/dev\nuser/abc.png ...")
— a log-forgery primitive against any operator parsing those logs.

Reject any unicode.IsControl rune in either segment (NUL was already
caught via strings.ContainsAny). New TestRest_LoadPictureRejectsControlCharsInSegment
covers LF, CR, TAB, NUL across both segments.

Pull Request Pull Request #2045: fix(api): reject path traversal in /picture/{user}/{id}

Coverage Stats

23 of 25 new or added lines in 1 file covered. (92.0%)

2 existing lines in 1 file now uncovered.

6243 of 7400 relevant lines covered (84.36%)

34.62 hits per line

Uncovered Changes

Lines	Coverage	∆	File
2	85.06	0.39%	backend/app/rest/api/rest_public.go

Coverage Regressions

Lines	Coverage	∆	File
2	94.55	0.0%	backend/app/notify/notify.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	24596576498.1	18 Apr 2026 04:12AM UTC	50	84.36	GitHub Action Run

umputun / remark42 / 24596576498
84%
master: 84%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Coverage Regressions

Jobs

Source Files on build 24596576498

umputun / remark42 / 24596576498 84% master: 84%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Uncovered Changes

Coverage Regressions

Jobs

Source Files on build 24596576498

umputun / remark42 / 24596576498
84%
master: 84%

README BADGES
x