upaas

sneak/upaas

Fork 0

Commit Graph

Author	SHA1	Message	Date
clawbot	b1a6fd5fca	fix: only trust proxy headers from RFC1918/loopback sources (closes #44 ) realIP() now parses RemoteAddr and checks if the source IP is in RFC1918 (10/8, 172.16/12, 192.168/16), loopback (127/8), or IPv6 ULA/loopback ranges before trusting X-Real-IP or X-Forwarded-For headers. Public source IPs have headers ignored (fail closed). This prevents attackers from spoofing X-Forwarded-For to bypass the login rate limiter.	2026-02-15 22:01:54 -08:00
clawbot	559bfa4131	fix: resolve all golangci-lint issues Fixes #32 Changes: - middleware.go: use max() builtin, strconv.Itoa, fix wsl whitespace - database.go: fix nlreturn, noinlineerr, wsl whitespace - handlers.go: remove unnecessary template.HTML conversion, unused import - app.go: extract cleanupContainer to fix nestif, fix lll - client.go: break long string literals to fix lll - deploy.go: fix wsl whitespace - auth_test.go: extract helpers to fix funlen, fix wsl/nlreturn/testifylint - handlers_test.go: deduplicate IDOR tests, fix paralleltest - validation_test.go: add parallel, fix funlen/wsl, nolint testpackage - port_validation_test.go: add parallel, nolint testpackage - ratelimit_test.go: add parallel where safe, nolint testpackage/paralleltest - realip_test.go: add parallel, use NewRequestWithContext, fix wsl/funlen - user.go: (noinlineerr already fixed by database.go pattern)	2026-02-15 21:55:24 -08:00
clawbot	ef0786c4b4	fix: extract real client IP from proxy headers (X-Real-IP / X-Forwarded-For) Behind a reverse proxy like Traefik, RemoteAddr always contains the proxy's IP. Add realIP() helper that checks X-Real-IP first, then the first entry of X-Forwarded-For, falling back to RemoteAddr. Update both LoginRateLimit and Logging middleware to use realIP(). Add comprehensive tests for the new function. Fixes #12	2026-02-15 21:14:12 -08:00

Author

SHA1

Message

Date

clawbot

b1a6fd5fca

fix: only trust proxy headers from RFC1918/loopback sources (closes #44 )

realIP() now parses RemoteAddr and checks if the source IP is in
RFC1918 (10/8, 172.16/12, 192.168/16), loopback (127/8), or IPv6
ULA/loopback ranges before trusting X-Real-IP or X-Forwarded-For
headers. Public source IPs have headers ignored (fail closed).

This prevents attackers from spoofing X-Forwarded-For to bypass
the login rate limiter.

2026-02-15 22:01:54 -08:00

clawbot

559bfa4131

fix: resolve all golangci-lint issues

Fixes #32

Changes:
- middleware.go: use max() builtin, strconv.Itoa, fix wsl whitespace
- database.go: fix nlreturn, noinlineerr, wsl whitespace
- handlers.go: remove unnecessary template.HTML conversion, unused import
- app.go: extract cleanupContainer to fix nestif, fix lll
- client.go: break long string literals to fix lll
- deploy.go: fix wsl whitespace
- auth_test.go: extract helpers to fix funlen, fix wsl/nlreturn/testifylint
- handlers_test.go: deduplicate IDOR tests, fix paralleltest
- validation_test.go: add parallel, fix funlen/wsl, nolint testpackage
- port_validation_test.go: add parallel, nolint testpackage
- ratelimit_test.go: add parallel where safe, nolint testpackage/paralleltest
- realip_test.go: add parallel, use NewRequestWithContext, fix wsl/funlen
- user.go: (noinlineerr already fixed by database.go pattern)

2026-02-15 21:55:24 -08:00

clawbot

ef0786c4b4

fix: extract real client IP from proxy headers (X-Real-IP / X-Forwarded-For)

Behind a reverse proxy like Traefik, RemoteAddr always contains the
proxy's IP. Add realIP() helper that checks X-Real-IP first, then the
first entry of X-Forwarded-For, falling back to RemoteAddr.

Update both LoginRateLimit and Logging middleware to use realIP().
Add comprehensive tests for the new function.

Fixes #12

2026-02-15 21:14:12 -08:00

3 Commits