umputun / remark42 / 24600086020

Builds Branch Commit Type Ran Committer Via Coverage
24600086020 master test: use testing/synctest to eliminate wall-clock sleeps (#2048) Go 1.25's testing/synctest package (GA) provides a fake clock bubble for deterministic goroutine and timer testing. Convert tests that waited on real-time durations to use synctest... push web-flow github
84.25
24599629279 master fix(api): drop QR-write nolint dup + trim dead `..` check Address PR #2045 review (umputun): * The //nolint:gosec on telegramQrCtrl's w.Write(png) was byte-identical to the same line in #2044 (gosec-rule restoration). Drop it here so the two... push umputun github
84.13
24596866617 security-pr-a-path-traversal fix(api): drop QR-write nolint dup + trim dead `..` check Address PR #2045 review (umputun): * The //nolint:gosec on telegramQrCtrl's w.Write(png) was byte-identical to the same line in #2044 (gosec-rule restoration). Drop it here so the two... Pull #2045 paskal github
84.34
24596576498 security-pr-a-path-traversal fix(api): reject control characters in /picture URL segments Address PR #2045 review feedback (Copilot #2045-1). The previous safePictureSegment allowed CR/LF/TAB through, so a request such as GET /api/v1/picture/dev%0Auser/abc.png would inject l... Pull #2045 paskal github
84.36
24596546017 security-fixes-2026-04 fix(safehttp): clone http.DefaultTransport, sharpen Image.Transport contract Address review feedback on PR #2044. safehttp.Transport(): * Clone http.DefaultTransport instead of building a bare &http.Transport{} so Proxy, ForceAttemptHTTP2, Max... Pull #2044 paskal github
84.47
24592734878 master test(store): use time.UTC in test fixtures to be timezone-agnostic The store tests stored timestamps with time.Local in their fixtures and asserted equality against returned values that the engine round-trips through UTC. assert.Equal compares zo... push umputun github
84.13
24592686760 master fix(api): require explicit ?site= in matchSiteID middleware matchSiteID guarded most authenticated and admin routes with `if siteID != "" && user.SiteID != siteID`. Dropping the ?site= query parameter made the check no-op and any authenticated us... push umputun github
84.16
24591322614 tests/synctest-refactor test: use testing/synctest to eliminate wall-clock sleeps Go 1.25's testing/synctest package (GA) provides a fake clock bubble for deterministic goroutine and timer testing. Convert tests that waited on real-time durations to use synctest, removi... Pull #2048 paskal github
84.35
24582579682 security-fixes-2026-04 chore(lint): cap multipart upload size and suppress remaining gosec G70x Address all golangci-lint v2.10.1 (CI's version) findings: * Add http.MaxBytesReader hard cap to ParseMultipartForm sites in rest_private.savePictureCtrl (32MB) and api/m... Pull #2044 paskal github
84.46
24582473426 security-pr-d-tz-tests test(store): use time.UTC in test fixtures to be timezone-agnostic The store tests stored timestamps with time.Local in their fixtures and asserted equality against returned values that the engine round-trips through UTC. assert.Equal compares zo... Pull #2047 paskal github
84.35
24582446417 security-pr-c-matchsiteid fix(api): require explicit ?site= in matchSiteID middleware matchSiteID guarded most authenticated and admin routes with `if siteID != "" && user.SiteID != siteID`. Dropping the ?site= query parameter made the check no-op and any authenticated us... Pull #2046 paskal github
84.13
24582423883 security-pr-a-path-traversal fix(api): reject path traversal and sanitise error in /picture/{user}/{id} The unauthenticated GET /api/v1/picture/{user}/{id} handler concatenated the two URL params verbatim into a filesystem path via path.Join, so a request like /api/v1/pictur... Pull #2045 paskal github
84.36
24547191483 master feat: custom oauth2 provider (#2006) * feat: add configurable custom OAuth2 provider and icons * fix: reserve built-in custom provider names * fix: add nolint directive for sha1 import * fix: harden custom oauth provider validation push web-flow github
84.35
24546491209 security-fixes-2026-04 test(store): use time.UTC in test fixtures to be timezone-agnostic The store tests stored timestamps with time.Local in their fixtures and asserted equality against returned values that the engine round-trips through UTC. assert.Equal compares zo... Pull #2044 paskal github
84.3
24546445221 security-fixes-2026-04 chore(lint): cap multipart upload size and suppress remaining gosec G70x Address all golangci-lint v2.10.1 (CI's version) findings: * Add http.MaxBytesReader hard cap to ParseMultipartForm sites in rest_private.savePictureCtrl (32MB) and api/m... push paskal github
84.3