go-pkgz / auth / 25587249065

85%

master: 85%

Pull #288

github

Cap avatar fetch body size, pin redirect-validator bypass categories

Two hardening followups from the security review on PRs #275-#286:

1. avatar.Proxy.Put now buffers remote avatar bytes through a 10 MiB cap
(io.LimitReader(maxAvatarFetchSize+1) + post-read size check) so an
upstream sending an unbounded body cannot exhaust process memory inside
resize. Existing legitimate avatars (Telegram caps photo at 5 MiB,
Gravatar much smaller) fit comfortably; oversized fetches return an
error and Proxy.Put falls back to identicon as it does for any other
load failure. Same fix in v1 and v2 modules.

2. v2 isAllowedRedirect now has explicit characterization tests for
URL bypass categories the reviewer flagged as "correctly rejected but
not pinned": scheme-relative //evil.com, userinfo allowed@evil.com,
IPv6 [::1], IDN/punycode homoglyphs, percent-encoded hostnames,
backslash-userinfo tricks, opaque scheme:host forms. Pure
characterization tests -- no behavior change, just guardrails so a
future refactor of url.Parse usage doesn't silently weaken the
validator.

7 of 9 new or added lines in 1 file covered. (77.78%)

2828 of 3333 relevant lines covered (84.85%)

7.82 hits per line