Bezbednost: rešeno 7 kritičnih nalaza (HP-01 do HP-07)

2026-06-07 10:16:50 +02:00
parent df8c357566
commit 301bcaf5c4
7 changed files with 32 additions and 23 deletions
@@ -94,7 +94,7 @@ func (r *sqliteKorisniciRepo) DohvatiPoID(ctx context.Context, id int64) (*model

 func (r *sqliteKorisniciRepo) Lista(ctx context.Context) ([]model.Korisnik, error) {
 	rows, err := r.db.QueryContext(ctx,
-		`SELECT id, korisnicko_ime, lozinka_hash, uloga, aktivan, COALESCE(totp_tajna, ''),
+		`SELECT id, korisnicko_ime, uloga, aktivan, COALESCE(totp_tajna, ''),
 		        COALESCE(lokalna_tema, ''), koristi_lokalnu_temu, datum_kreiranja,
 		        COALESCE(lokalna_pozadina, ''), COALESCE(lokalna_pozadina_opacity, '50'),
 		        COALESCE(lokalna_pozadina_blur, '12'), COALESCE(lokalna_pozadina_blur_pozadine, '0'),
@@ -111,7 +111,7 @@ func (r *sqliteKorisniciRepo) Lista(ctx context.Context) ([]model.Korisnik, erro
 		var lokalnaTema sql.NullString
 		var lokalnaPozadina, lokalnaPozadinaOpacity, lokalnaPozadinaBlur, lokalnaPozadinaBlurPozadine, lokalnaPozadinaGlassOpacity sql.NullString
 		var datumKreiranja time.Time
-		if err := rows.Scan(&k.ID, &k.KorisnickoIme, &k.LozinkaHash, &k.Uloga, &aktivan, &k.TotpTajna,
+		if err := rows.Scan(&k.ID, &k.KorisnickoIme, &k.Uloga, &aktivan, &k.TotpTajna,
 			&lokalnaTema, &koristiLokalnuTemu, &datumKreiranja,
 			&lokalnaPozadina, &lokalnaPozadinaOpacity, &lokalnaPozadinaBlur, &lokalnaPozadinaBlurPozadine,
 			&lokalnaPozadinaGlassOpacity); err != nil {
@@ -253,11 +253,10 @@ func (h *Handler) SacuvajPodesavanja(w http.ResponseWriter, r *http.Request) {
 	}

 	sledeci := r.FormValue("_next")
-	if sledeci == "" {
-		http.Redirect(w, r, "/podesavanja?sacuvano=1", http.StatusSeeOther)
-	} else {
-		http.Redirect(w, r, sledeci+"?sacuvano=1", http.StatusSeeOther)
+	if sledeci == "" || !strings.HasPrefix(sledeci, "/") {
+		sledeci = "/podesavanja"
 	}
+	http.Redirect(w, r, sledeci+"?sacuvano=1", http.StatusSeeOther)
 }

 // BackupBaze kreira konzistentnu kopiju baze i šalje je kao attachment
@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"os"
 	"strings"
 	"time"

@@ -304,6 +305,7 @@ func napraviKolacic(token string, istice time.Time) *http.Cookie {
 		Path:     "/",
 		Expires:  istice,
 		HttpOnly: true,
+		Secure:   os.Getenv("NTECH_ENV") == "production",
 		SameSite: http.SameSiteStrictMode,
 	}
 }
@@ -14,7 +14,7 @@ func BezbednostHeaders() func(http.Handler) http.Handler {
 			h.Set("Content-Security-Policy",
 				"default-src 'self'; "+
 					"style-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; "+
-					"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://cdn.jsdelivr.net; "+
+					"script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdn.jsdelivr.net; "+
 					"img-src 'self' data: blob:; "+
 					"font-src 'self'; "+
 					"connect-src 'self'")
@@ -5,6 +5,7 @@ import (
 	"crypto/rand"
 	"encoding/base64"
 	"net/http"
+	"os"
 )

 const csrfKolacic = "ntech_csrf"
@@ -38,6 +39,7 @@ func CsrfMiddleware(next http.Handler) http.Handler {
 					Path:     "/",
 					MaxAge:   86400 * 30,
 					HttpOnly: true,
+					Secure:   os.Getenv("NTECH_ENV") == "production",
 					SameSite: http.SameSiteStrictMode,
 				})
 			}
@@ -29,17 +29,31 @@ func GetFlash(r *http.Request, db *sql.DB) *model.FlashPoruka {
 	if err != nil {
 		return nil
 	}
+
+	tx, err := db.BeginTx(r.Context(), nil)
+	if err != nil {
+		return nil
+	}
+	defer tx.Rollback()
+
 	var flashJSON sql.NullString
-	if err := db.QueryRowContext(r.Context(),
+	if err := tx.QueryRowContext(r.Context(),
 		`SELECT flash FROM sesije WHERE token = ?`, kolacic.Value).Scan(&flashJSON); err != nil {
 		return nil
 	}
 	if !flashJSON.Valid || flashJSON.String == "" {
 		return nil
 	}
-	// briše pre parsiranja — ako parsiranje ne uspe, poruka se svakako ne prikazuje
-	db.ExecContext(r.Context(),
-		`UPDATE sesije SET flash = NULL WHERE token = ?`, kolacic.Value)
+
+	if _, err := tx.ExecContext(r.Context(),
+		`UPDATE sesije SET flash = NULL WHERE token = ?`, kolacic.Value); err != nil {
+		return nil
+	}
+
+	if err := tx.Commit(); err != nil {
+		return nil
+	}
+
 	var f model.FlashPoruka
 	if err := json.Unmarshal([]byte(flashJSON.String), &f); err != nil {
 		return nil