umputun / remark42 / 24753077072

Builds Branch Commit Type Ran Committer Via Coverage
24753077072 master fix(auth): close OAuth open-redirect by wiring AllowedRedirectHosts (#2049) * fix(auth): close OAuth open-redirect by wiring AllowedRedirectHosts Bump go-pkgz/auth/v2 to master (v2.1.2-0.20260421203319-686683f19cf7) which carries the `from` redi... push web-flow github
84.25
24752433324 bump-auth-oauth-redirect-fix fix(auth): preserve explicit port in AllowedRedirectHosts + clarify fs_store nolint Address Copilot follow-up on PR #2049: * getAllowedRedirectHosts stripped explicit ports via u.Hostname(), which broadened the allowlist. The auth validator ch... Pull #2049 paskal github
84.25
24751384141 bump-auth-oauth-redirect-fix fix(auth): normalise AllowedRedirectHosts entries + add unit test Address Copilot review on PR #2049. The previous closure passed raw s.AllowedHosts entries straight to the auth library, but --allowed-hosts holds CSP frame-ancestors source expres... Pull #2049 paskal github
84.24
24750894901 bump-auth-oauth-redirect-fix chore(lint): suppress G703 false positives on image Save CI's newer gosec flags os.MkdirAll/os.WriteFile in FileSystem.Save with G703 because id flows in from the caller. id is validated at the HTTP layer (safePictureSegment in rest_public.go) an... Pull #2049 paskal github
84.19
24750714194 bump-auth-oauth-redirect-fix fix(auth): close OAuth open-redirect by wiring AllowedRedirectHosts Bump go-pkgz/auth/v2 to master (v2.1.2-0.20260421203319-686683f19cf7) which carries the `from` redirect validator from go-pkgz/auth#275. The library default with a nil AllowedRe... Pull #2049 paskal github
84.19
24600086020 master test: use testing/synctest to eliminate wall-clock sleeps (#2048) Go 1.25's testing/synctest package (GA) provides a fake clock bubble for deterministic goroutine and timer testing. Convert tests that waited on real-time durations to use synctest... push web-flow github
84.25
24599629279 master fix(api): drop QR-write nolint dup + trim dead `..` check Address PR #2045 review (umputun): * The //nolint:gosec on telegramQrCtrl's w.Write(png) was byte-identical to the same line in #2044 (gosec-rule restoration). Drop it here so the two... push umputun github
84.13
24596866617 security-pr-a-path-traversal fix(api): drop QR-write nolint dup + trim dead `..` check Address PR #2045 review (umputun): * The //nolint:gosec on telegramQrCtrl's w.Write(png) was byte-identical to the same line in #2044 (gosec-rule restoration). Drop it here so the two... Pull #2045 paskal github
84.34
24596576498 security-pr-a-path-traversal fix(api): reject control characters in /picture URL segments Address PR #2045 review feedback (Copilot #2045-1). The previous safePictureSegment allowed CR/LF/TAB through, so a request such as GET /api/v1/picture/dev%0Auser/abc.png would inject l... Pull #2045 paskal github
84.36
24596546017 security-fixes-2026-04 fix(safehttp): clone http.DefaultTransport, sharpen Image.Transport contract Address review feedback on PR #2044. safehttp.Transport(): * Clone http.DefaultTransport instead of building a bare &http.Transport{} so Proxy, ForceAttemptHTTP2, Max... Pull #2044 paskal github
84.47
24592734878 master test(store): use time.UTC in test fixtures to be timezone-agnostic The store tests stored timestamps with time.Local in their fixtures and asserted equality against returned values that the engine round-trips through UTC. assert.Equal compares zo... push umputun github
84.13
24592686760 master fix(api): require explicit ?site= in matchSiteID middleware matchSiteID guarded most authenticated and admin routes with `if siteID != "" && user.SiteID != siteID`. Dropping the ?site= query parameter made the check no-op and any authenticated us... push umputun github
84.16
24591322614 tests/synctest-refactor test: use testing/synctest to eliminate wall-clock sleeps Go 1.25's testing/synctest package (GA) provides a fake clock bubble for deterministic goroutine and timer testing. Convert tests that waited on real-time durations to use synctest, removi... Pull #2048 paskal github
84.35
24582579682 security-fixes-2026-04 chore(lint): cap multipart upload size and suppress remaining gosec G70x Address all golangci-lint v2.10.1 (CI's version) findings: * Add http.MaxBytesReader hard cap to ParseMultipartForm sites in rest_private.savePictureCtrl (32MB) and api/m... Pull #2044 paskal github
84.46
24582473426 security-pr-d-tz-tests test(store): use time.UTC in test fixtures to be timezone-agnostic The store tests stored timestamps with time.Local in their fixtures and asserted equality against returned values that the engine round-trips through UTC. assert.Equal compares zo... Pull #2047 paskal github
84.35