security: harden Go worker

- Fix SSRF TOCTOU: add custom dialer that resolves DNS and validates
  IPs at connection time, preventing DNS rebinding attacks
- Handle IPv4-mapped IPv6 addresses (::ffff:127.0.0.1) in SSRF
  protection by normalizing to IPv4 before checking reserved ranges
- Sanitize feed error messages before storing: strip credentials
  from URLs and truncate to 500 chars
- Remove unused EncryptionKey from configuration
- Add stack trace logging to worker panic recovery for debugging
- Run go fmt

1 files changed, 21 insertions, 2 deletions

diff --git a/services/worker/internal/writer/writer.go b/services/worker/internal/writer/writer.go
index 748deb0..fb413e0 100644
--- a/services/worker/internal/writer/writer.go
+++ b/services/worker/internal/writer/writer.go
@@ -3,10 +3,12 @@ package writer
 import (
 	"context"
 	"fmt"
-	"github.com/Fuwn/asa-news/internal/model"
-	"github.com/jackc/pgx/v5/pgxpool"
+	"net/url"
 	"strings"
 	"time"
+
+	"github.com/Fuwn/asa-news/internal/model"
+	"github.com/jackc/pgx/v5/pgxpool"
 )
 
 type Writer struct {
@@ -192,11 +194,28 @@ func (feedWriter *Writer) UpdateFeedType(
 	return nil
 }
 
+func sanitizeErrorMessage(errorMessage string) string {
+	sanitized := errorMessage
+	for _, word := range strings.Fields(errorMessage) {
+		if parsed, parseError := url.Parse(word); parseError == nil && parsed.User != nil {
+			parsed.User = nil
+			sanitized = strings.ReplaceAll(sanitized, word, parsed.String())
+		}
+	}
+
+	if len(sanitized) > 500 {
+		sanitized = sanitized[:500]
+	}
+
+	return sanitized
+}
+
 func (feedWriter *Writer) RecordFeedError(
 	updateContext context.Context,
 	feedIdentifier string,
 	errorMessage string,
 ) error {
+	errorMessage = sanitizeErrorMessage(errorMessage)
 	currentTime := time.Now().UTC()
 	updateQuery := `
 		UPDATE feeds