security fixes

Author: shcherbak

charts/keepup/Chart.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 name: keepup
-version: 1.3.4
-appVersion: 1.2.0
+version: 1.4.0
+appVersion: 1.3.0

charts/keepup/values.yaml

@@ -7,7 +7,7 @@ main:
 
 redis:
   enabled: true
-  image: "redis:8.2.3"
+  image: "redis:8.2.5"
   pullPolicy: "IfNotPresent"
 
 ingress:

docker/Dockerfile

@@ -1,5 +1,5 @@
-FROM golang:1.25.5-trixie AS builder
-ARG BUILD_VERSION='v1.2.3'
+FROM golang:1.25.9-trixie AS builder
+ARG BUILD_VERSION='v1.3.0'
 ENV LISTEN_PORT=9101
 WORKDIR /opt/keepup/
 COPY go.mod ./

src/config/config.go

@@ -46,8 +46,8 @@ func init() {
 	numFields := refl.NumField()
 	for i := 0; i < numFields; i++ {
 		envName := refl.Type().Field(i).Name
-		envVal, foud := os.LookupEnv(envName)
-		if !foud {
+		envVal, found := os.LookupEnv(envName)
+		if !found {
 			panic("Environment [" + envName + "] not found.")
 		}
 		refl.Field(i).SetString(envVal)

src/handler/middleware.go

@@ -2,6 +2,7 @@ package handler
 
 import (
 	"context"
+	"crypto/subtle"
 	"encoding/json"
 	"io"
 	"log"
@@ -67,7 +68,7 @@ type IDClusterDocument struct {
 
 func (s *OsReleasesMiddleware) HandleOsRelease(w http.ResponseWriter, r *http.Request) {
 	token := r.Header.Get("x-api-token")
-	if token != s.ApiToken {
+	if subtle.ConstantTimeCompare([]byte(token), []byte(s.ApiToken)) != 1 {
 		w.Header().Set("Content-Type", "text/plain")
 		w.WriteHeader(http.StatusForbidden)
 		io.WriteString(w, "FORBIDDEN")
@@ -87,6 +88,7 @@ func (s *OsReleasesMiddleware) HandleOsRelease(w http.ResponseWriter, r *http.Re
 func (s *OsReleasesMiddleware) handleInsert(w http.ResponseWriter, r *http.Request) {
 	var req ReleaseDocument
 	var res IDDocument
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
@@ -108,6 +110,7 @@ func (s *OsReleasesMiddleware) handleInsert(w http.ResponseWriter, r *http.Reque
 
 func (s *OsReleasesMiddleware) handleGetByID(w http.ResponseWriter, r *http.Request) {
 	var req IDDocument
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
@@ -161,6 +164,7 @@ func (p *PackageVersionsHandler) handleInsertPackages(w http.ResponseWriter, r *
 	var req PackageDocument
 	var res IDDocumentPackage
 
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		http.Error(w, "Invalid request payload", http.StatusBadRequest)
@@ -210,6 +214,7 @@ func (p *PackageVersionsHandler) handleInsertPackages(w http.ResponseWriter, r *
 func (p *PackageVersionsHandler) handleGetPackages(w http.ResponseWriter, r *http.Request) {
 	var req IDDocumentPackage
 
+	r.Body = http.MaxBytesReader(w, r.Body, 1<<20)
 	err := json.NewDecoder(r.Body).Decode(&req)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusBadRequest)
@@ -238,7 +243,7 @@ func (p *PackageVersionsHandler) handleGetPackages(w http.ResponseWriter, r *htt
 
 func (s *PackageVersionsHandler) HandlePackage(w http.ResponseWriter, r *http.Request) {
 	token := r.Header.Get("x-api-token")
-	if token != s.ApiToken {
+	if subtle.ConstantTimeCompare([]byte(token), []byte(s.ApiToken)) != 1 {
 		w.Header().Set("Content-Type", "text/plain")
 		w.WriteHeader(http.StatusForbidden)
 		io.WriteString(w, "FORBIDDEN")
@@ -259,7 +264,7 @@ func (s *PackageVersionsHandler) HandlePackage(w http.ResponseWriter, r *http.Re
 // Simplife new endpoint handling logic. Maybe define common handler for all endpoints.
 func (s *KubernetesClusterMiddleware) HandleKubernetesCluster(w http.ResponseWriter, r *http.Request) {
 	token := r.Header.Get("x-api-token")
-	if token != s.ApiToken {
+	if subtle.ConstantTimeCompare([]byte(token), []byte(s.ApiToken)) != 1 {
 		http.Error(w, "FORBIDDEN", http.StatusForbidden)
 		return
 	}

src/handler/osrelease.go

@@ -29,7 +29,7 @@ type OsReleases struct {
 
 var (
 	ErrInsertFailed = errors.New("Insert failed")
-	ErrMarshlFailed = errors.New("Marshal failed")
+	ErrMarshalFailed = errors.New("Marshal failed")
 	ErrIDNotFound   = errors.New("Id not found")
 	ErrNoKeysFound  = errors.New("No keys found")
 )
@@ -39,7 +39,7 @@ func (c *OsReleases) Insert(rel OsRelease, ctx context.Context, con *redis.Clien
 	rel.UpdatedAt = fmt.Sprint(time.Now().Unix())
 	srt, err := json.Marshal(rel)
 	if err != nil {
-		return rel.ID, ErrMarshlFailed
+		return rel.ID, ErrMarshalFailed
 	}
 	result, err := con.Set(ctx, fmt.Sprint(rel.ID), srt, time.Duration(ttl)*time.Second).Result()
 	if err != nil {
@@ -78,7 +78,8 @@ func (c *OsReleases) Scan(ctx context.Context, con *redis.Client) (OsReleases, e
 		}
 	}
 	if err := iter.Err(); err != nil {
-		panic(err)
+		log.Printf("Error scanning Redis keys: %v", err)
+		return rels, err
 	}
 	return rels, nil
 }

src/handler/packageversions.go

@@ -216,21 +216,13 @@ func updateEOLCache(ctx context.Context, con *redis.Client) error {
 		"package": map[string][]EndOfLifeEntry{},
 	}
 
+	httpClient := &http.Client{Timeout: 10 * time.Second}
 	for _, packageName := range supportedPackages {
 		apiURL := fmt.Sprintf("https://endoflife.date/api/%s.json", packageName)
-		httpClient := &http.Client{Timeout: 10 * time.Second}
-
-		resp, err := httpClient.Get(apiURL)
+		entries, err := fetchEOLEntries(httpClient, apiURL)
 		if err != nil {
 			continue
 		}
-		defer resp.Body.Close()
-
-		var entries []EndOfLifeEntry
-		if err := json.NewDecoder(resp.Body).Decode(&entries); err != nil {
-			continue
-		}
-
 		cacheDocument["package"].(map[string][]EndOfLifeEntry)[packageName] = entries
 	}
 
@@ -247,6 +239,20 @@ func updateEOLCache(ctx context.Context, con *redis.Client) error {
 	return nil
 }
 
+func fetchEOLEntries(client *http.Client, url string) ([]EndOfLifeEntry, error) {
+	resp, err := client.Get(url)
+	if err != nil {
+		return nil, err
+	}
+	defer resp.Body.Close()
+
+	var entries []EndOfLifeEntry
+	if err := json.NewDecoder(resp.Body).Decode(&entries); err != nil {
+		return nil, err
+	}
+	return entries, nil
+}
+
 func getEOLData(ctx context.Context, con *redis.Client, packageName string) ([]EndOfLifeEntry, error) {
 	key := "eol_cache:all_packages"
 

src/main.go

@@ -13,6 +13,7 @@ import (
 	"strconv"
 	"sync"
 	"syscall"
+	"time"
 
 	"github.com/google/uuid"
 	"github.com/prometheus/client_golang/prometheus"
@@ -104,7 +105,10 @@ func main() {
 func configureServer() {
 	log.Printf("Creating server on port %s.", config.GetConfig().LISTEN_PORT)
 	server = &http.Server{
-		Addr: fmt.Sprintf(":%s", config.GetConfig().LISTEN_PORT),
+		Addr:         fmt.Sprintf(":%s", config.GetConfig().LISTEN_PORT),
+		ReadTimeout:  10 * time.Second,
+		WriteTimeout: 30 * time.Second,
+		IdleTimeout:  60 * time.Second,
 	}
 	server.RegisterOnShutdown(func() {
 		log.Println("Shutting down server.")