go-pkgz / auth

85%

master: 85%

LAST BUILD ON BRANCH followups/security-review

branch: followups/security-review

CHANGE BRANCH

x

Reset

• followups/security-review
• allowed-provider-check
• apple-reponse-mode-fix
• aud-secrets
• ava-factory
• chore/go-fix
• configurable-microsoft-tenant
• cookie-domain
• custom-dev-host
• custom-dev-port
• dependabot/go_modules/_example/github.com/go-chi/chi/v5-5.2.2
• dependabot/go_modules/_example/golang.org/x/crypto-0.17.0
• dependabot/go_modules/_example/golang.org/x/image-0.38.0
• dependabot/go_modules/_example/golang.org/x/image-0.5.0
• dependabot/go_modules/_example/golang.org/x/net-0.17.0
• dependabot/go_modules/_example/golang.org/x/net-0.7.0
• dependabot/go_modules/golang.org/x/crypto-0.31.0
• dependabot/go_modules/golang.org/x/image-0.38.0
• dependabot/go_modules/v2/github.com/golang-jwt/jwt/v5-5.2.2
• dependabot/go_modules/v2/golang.org/x/crypto-0.31.0
• dependabot/go_modules/v2/golang.org/x/crypto-0.45.0
• dependabot/go_modules/v2/golang.org/x/net-0.33.0
• dependabot/go_modules/v2/golang.org/x/net-0.36.0
• direct-custom-id
• docs/comment-sweep
• dverhoturov/telegram_fix
• email-sender
• feat/csrf-middleware
• feature/custom-error-handler
• fix-anon
• fix-content-type-header
• fix-oauth-from-open-redirect
• fix-oauth-sendjwtheader
• fix-providers-names
• fix/admin-passwd-log-leak
• fix/apple-id-token-iss-aud
• fix/apple-log-redact-token-response
• fix/auth-sensitive-logging
• fix/avatar-content-type-spoofing-xss
• fix/csp-consumer-note
• fix/dev-custom-bind-localhost
• fix/email-sender-redact-body
• fix/panic-save-ava-nil
• fix/telegram-redact-bot-token-in-avatar-url
• fix/v1-from-redirect-validator
• fix/verify-replay
• fix/verify-replay-typed-nil-followup
• go1_20
• jwt-header
• master
• microsoft
• migrate-example-to-routegroup
• no-ava
• official-mongo-drvier
• paskal/HttpOnly
• paskal/add_common_processor
• paskal/avatar_return_proper_content_type
• paskal/bump_ci_go_version
• paskal/bump_dep
• paskal/bump_go_modules
• paskal/bump_modules
• paskal/double_close
• paskal/email_module
• paskal/facelift
• paskal/fix_actions_test
• paskal/fix_apple_key_panic
• paskal/fix_custom_server
• paskal/fix_error
• paskal/fix_golangcilint
• paskal/fix_lint_report
• paskal/fix_send_jwt_header
• paskal/google_auth_doc
• paskal/improve_telegram
• paskal/modules_bump
• paskal/mongodb
• paskal/moq
• paskal/new_errors
• paskal/plain_text
• paskal/switch_to_v2
• paskal/sync_v2
• paskal/telegram_site_id
• paskal/tg_username
• paskal/token_generation_instructions
• paskal/update-dependencies
• paskal/update-modules
• paskal/update_modules
• paskal/update_pkcs8
• paskal/v2
• paskal/v2_golangcilint
• paskal/v2_jwt5
• rbac
• refs/tags/v0.10.0
• refs/tags/v0.10.1
• refs/tags/v0.10.2
• refs/tags/v0.11.0
• refs/tags/v0.12.0
• refs/tags/v0.12.1
• refs/tags/v1.13.0
• refs/tags/v1.13.1
• refs/tags/v1.14.0
• refs/tags/v1.15.0
• refs/tags/v1.16.0
• refs/tags/v1.17.0
• refs/tags/v1.18.0
• refs/tags/v1.19.0
• refs/tags/v1.19.1
• refs/tags/v1.20.0
• refs/tags/v1.21.0
• refs/tags/v1.22.0
• refs/tags/v1.22.1
• refs/tags/v1.23.0
• refs/tags/v1.24.0
• refs/tags/v1.24.1
• refs/tags/v1.24.2
• refs/tags/v1.25.1
• refs/tags/v1.25.2
• refs/tags/v1.25.3
• refs/tags/v1.25.4
• refs/tags/v1.5.1
• refs/tags/v2.0.0
• refs/tags/v2.1.0
• refs/tags/v2.1.1
• refs/tags/v2.1.2
• refs/tags/v2.1.3
• refs/tags/v2.1.4
• remove-bluemonday
• samesite
• sanitize-verifyed
• update-dependencies-2026-04
• update-dependencies-dec2024
• update-deps-and-golangci-v2
• upgrade-repeater-v2
• v0.8.0
• v0.8.1
• v0.8.2
• v0.8.3
• v0.9.0
• verify-avatar

Build # 25587249065

Build Type

Pull #288

github

Committed by paskal

Commit Message

Cap avatar fetch body size, pin redirect-validator bypass categories

Two hardening followups from the security review on PRs #275-#286:

1. avatar.Proxy.Put now buffers remote avatar bytes through a 10 MiB cap
(io.LimitReader(maxAvatarFetchSize+1) + post-read size check) so an
upstream sending an unbounded body cannot exhaust process memory inside
resize. Existing legitimate avatars (Telegram caps photo at 5 MiB,
Gravatar much smaller) fit comfortably; oversized fetches return an
error and Proxy.Put falls back to identicon as it does for any other
load failure. Same fix in v1 and v2 modules.

2. v2 isAllowedRedirect now has explicit characterization tests for
URL bypass categories the reviewer flagged as "correctly rejected but
not pinned": scheme-relative //evil.com, userinfo allowed@evil.com,
IPv6 [::1], IDN/punycode homoglyphs, percent-encoded hostnames,
backslash-userinfo tricks, opaque scheme:host forms. Pure
characterization tests -- no behavior change, just guardrails so a
future refactor of url.Parse usage doesn't silently weaken the
validator.

Pull Request Pull Request #288: Cap avatar fetch body size, pin redirect-validator bypass categories

Coverage Stats

7 of 9 new or added lines in 1 file covered. (77.78%)

2828 of 3333 relevant lines covered (84.85%)

7.82 hits per line