1
85%
master: 85%

Ran 09 May 2026 01:09AM UTC

Files 25

Run time 0s

Badge

Embed ▾

Committed 09 May 2026 01:07AM UTC coverage: 84.848% (-0.02%) from 84.872%

Job # 25587249065.1

Build Type

Pull #288

github

Committed by

paskal

Commit Message

Cap avatar fetch body size, pin redirect-validator bypass categories

Two hardening followups from the security review on PRs #275-#286:

1. avatar.Proxy.Put now buffers remote avatar bytes through a 10 MiB cap
(io.LimitReader(maxAvatarFetchSize+1) + post-read size check) so an
upstream sending an unbounded body cannot exhaust process memory inside
resize. Existing legitimate avatars (Telegram caps photo at 5 MiB,
Gravatar much smaller) fit comfortably; oversized fetches return an
error and Proxy.Put falls back to identicon as it does for any other
load failure. Same fix in v1 and v2 modules.

2. v2 isAllowedRedirect now has explicit characterization tests for
URL bypass categories the reviewer flagged as "correctly rejected but
not pinned": scheme-relative //evil.com, userinfo allowed@evil.com,
IPv6 [::1], IDN/punycode homoglyphs, percent-encoded hostnames,
backslash-userinfo tricks, opaque scheme:host forms. Pure
characterization tests -- no behavior change, just guardrails so a
future refactor of url.Parse usage doesn't silently weaken the
validator.

Pull Request Pull Request #288: Cap avatar fetch body size, pin redirect-validator bypass categories

Coverage Stats

2828 of 3333 relevant lines covered (84.85%)

7.82 hits per line

go-pkgz / auth / 25587249065 / 1
85%
master: 85%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 25587249065.1

go-pkgz / auth / 25587249065 / 1 85% master: 85%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

Source Files on job 25587249065.1

go-pkgz / auth / 25587249065 / 1
85%
master: 85%

README BADGES
x