Dasko/GoNtech
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Bezbednost: rešeno 7 kritičnih nalaza (HP-01 do HP-07)

Browse Source
This commit is contained in:
Dalibor Marković
2026-06-07 10:16:50 +02:00
parent df8c357566
commit 301bcaf5c4
7 changed files with 32 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/middleware/bezbednost.go
+1 -1
View File
@@ -14,7 +14,7 @@ func BezbednostHeaders() func(http.Handler) http.Handler {
h.Set("Content-Security-Policy",
"default-src 'self'; "+
"style-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com; "+
"script-src 'self' 'unsafe-inline' 'unsafe-eval' https://cdn.tailwindcss.com https://cdn.jsdelivr.net; "+
"script-src 'self' 'unsafe-inline' https://cdn.tailwindcss.com https://cdn.jsdelivr.net; "+
"img-src 'self' data: blob:; "+
"font-src 'self'; "+
"connect-src 'self'")
internal/middleware/csrf.go
+2
View File
@@ -5,6 +5,7 @@ import (
"crypto/rand"
"encoding/base64"
"net/http"
"os"
)
const csrfKolacic = "ntech_csrf"
@@ -38,6 +39,7 @@ func CsrfMiddleware(next http.Handler) http.Handler {
Path: "/",
MaxAge: 86400 * 30,
HttpOnly: true,
Secure: os.Getenv("NTECH_ENV") == "production",
SameSite: http.SameSiteStrictMode,
})
}
internal/middleware/flash.go
+18 -4
View File
@@ -29,17 +29,31 @@ func GetFlash(r *http.Request, db *sql.DB) *model.FlashPoruka {
if err != nil {
return nil
}
tx, err := db.BeginTx(r.Context(), nil)
if err != nil {
return nil
}
defer tx.Rollback()
var flashJSON sql.NullString
if err := db.QueryRowContext(r.Context(),
if err := tx.QueryRowContext(r.Context(),
`SELECT flash FROM sesije WHERE token = ?`, kolacic.Value).Scan(&flashJSON); err != nil {
return nil
}
if !flashJSON.Valid || flashJSON.String == "" {
return nil
}
// briše pre parsiranja — ako parsiranje ne uspe, poruka se svakako ne prikazuje
db.ExecContext(r.Context(),
`UPDATE sesije SET flash = NULL WHERE token = ?`, kolacic.Value)
if _, err := tx.ExecContext(r.Context(),
`UPDATE sesije SET flash = NULL WHERE token = ?`, kolacic.Value); err != nil {
return nil
}
if err := tx.Commit(); err != nil {
return nil
}
var f model.FlashPoruka
if err := json.Unmarshal([]byte(flashJSON.String), &f); err != nil {
return nil