diff options
| author | Fuwn <[email protected]> | 2026-02-08 09:23:43 -0800 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-02-08 09:23:43 -0800 |
| commit | 56cbd35136a5a7b366835bf6c662ed068f6b5dec (patch) | |
| tree | 1a6dc83f997683341ed3476d8f38690bfe7b7114 /services/worker/internal/pool | |
| parent | security: sanitize HTML in marketing demo (diff) | |
| download | asa.news-56cbd35136a5a7b366835bf6c662ed068f6b5dec.tar.xz asa.news-56cbd35136a5a7b366835bf6c662ed068f6b5dec.zip | |
security: harden Go worker
- Fix SSRF TOCTOU: add custom dialer that resolves DNS and validates
IPs at connection time, preventing DNS rebinding attacks
- Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) in SSRF
protection by normalizing to IPv4 before checking reserved ranges
- Sanitize feed error messages before storing: strip credentials
from URLs and truncate to 500 chars
- Remove unused EncryptionKey from configuration
- Add stack trace logging to worker panic recovery for debugging
- Run go fmt
Diffstat (limited to 'services/worker/internal/pool')
| -rw-r--r-- | services/worker/internal/pool/pool.go | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/services/worker/internal/pool/pool.go b/services/worker/internal/pool/pool.go index 7df03e2..0576636 100644 --- a/services/worker/internal/pool/pool.go +++ b/services/worker/internal/pool/pool.go @@ -3,6 +3,7 @@ package pool import ( "context" "log/slog" + "runtime/debug" "sync" ) @@ -38,6 +39,7 @@ func (workerPool *WorkerPool) Submit(workContext context.Context, workFunction W workerPool.logger.Error( "worker panic recovered", "panic_value", recoveredPanic, + "stack_trace", string(debug.Stack()), ) } }() |