go-pkgz / auth / 26197092980 / 1
85%
master: 85%

LAST BUILD BRANCH: docs/comment-sweep
DEFAULT BRANCH: master
Ran
Files 25
Run time 1s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 85.425% (+0.1%) from 85.323%
26197092980.1

Pull #290

github

paskal 
fix(avatar): address PR review — WebP support, RFC 7232 ETag, explicit allowlist

Addresses review on #290:

  * Register golang.org/x/image/webp via blank import. Without this, Go's stdlib
    image.DecodeConfig only knows PNG/JPEG/GIF — Discord (which uses .webp
    avatars) would silently fall back to identicons after the validation fix.
    Regression test TestAvatar_resizeAcceptsWebP exercises a real WebP avatar
    end-to-end.

  * safeImgContentType is now an explicit switch over the allowed raster MIME
    set (image/png, image/jpeg, image/gif, image/webp, image/bmp,
    image/x-icon, image/vnd.microsoft.icon). The previous HasPrefix("image/")
    catch-all matched the docstring but not the intent — any future scriptable
    image/* MIME added by http.DetectContentType would have silently passed.

  * If-None-Match parsing now follows RFC 7232: handles quoted ETag (the form
    browsers actually send), W/"..." weak validators, comma-separated lists, and
    the * wildcard. The previous comparison stripped quotes from the response
    ETag before comparing against the (almost always quoted) request header, so
    304 short-circuits never fired in practice. Added etagMatches helper with
    its own table test plus an extended 304 path test in TestAvatar_Routes that
    sends both the strong and weak validator forms.

  * Handler now uses io.ReadFull for the sniff buffer so a Store that returns
    a buffered reader with a small first-Read won't cause DetectContentType to
    misclassify a valid image. ErrUnexpectedEOF is expected for short bodies
    and treated the same as EOF.

  * withSecurityHeaders docstring now spells out the impact on consumer-added
    custom handlers (AddCustomHandler / AddProvider): the strict CSP also wraps
    those, so any custom provider rendering HTML must either override the CSP
    by calling w.Header().Set before writing, or move scripts/styles to
    external files served from 'self'.

Minor: tinyPNG / tinyWeb... (continued)
Pull Request #290: fix(avatar): prevent stored XSS via content-type spoofing

3042 of 3561 relevant lines covered (85.43%)

8.31 hits per line

Source Files on job 26197092980.1