Dasko/GoNtech
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

Bezbednost: open redirect i kolačići bez Secure atributa

Browse Source 
- _next parametar: sanitizacija preko url.Parse (Host+Scheme prazan = relativan URL)
  umesto ručnog string check-a koji CodeQL nije prepoznavao
- Kolačići: dodat Secure atribut (true u produkciji, false u razvoju)
  na 4 mesta: ntech_sesija brisanje (auth.go, prijava.go),
  ntech_flash_greska postavljanje i brisanje (auth.go, dashboard.go)
This commit is contained in:
Dalibor Marković
2026-06-16 03:32:07 +02:00
parent f9af825a27
commit 532f95848c
4 changed files with 30 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
internal/handler/dashboard.go
+3
View File
@@ -3,6 +3,7 @@ package handler
import (
"log/slog"
"net/http"
"os"
appdb "ntech/internal/db"
"ntech/internal/db/sqlite"
@@ -23,6 +24,8 @@ func (h *Handler) Dashboard(w http.ResponseWriter, r *http.Request) {
Value: "",
Path: "/",
MaxAge: -1,
HttpOnly: true,
Secure: os.Getenv("NTECH_ENV") == "production",
})
}
internal/handler/podesavanja.go
+7 -2
View File
@@ -7,6 +7,7 @@ import (
"io"
"log/slog"
"net/http"
"net/url"
"os"
"path/filepath"
"regexp"
@@ -264,8 +265,12 @@ func (h *Handler) SacuvajPodesavanja(w http.ResponseWriter, r *http.Request) {
}
sledeci := "/podesavanja"
if next := r.FormValue("_next"); strings.HasPrefix(next, "/") && (len(next) == 1 || (next[1] != '/' && next[1] != '\\')) {
sledeci = next
if next := r.FormValue("_next"); next != "" {
if u, err := url.Parse(next); err == nil && u.Host == "" && u.Scheme == "" {
if p := u.RequestURI(); p != "" {
sledeci = p
}
}
}
// backup podešavanja — pri neispravnom unosu javljamo jasnu grešku
internal/handler/prijava.go
+2
View File
@@ -267,6 +267,8 @@ func (h *Handler) Odjava(w http.ResponseWriter, r *http.Request) {
Path: "/",
Expires: time.Unix(0, 0),
MaxAge: -1,
Secure: os.Getenv("NTECH_ENV") == "production",
HttpOnly: true,
})
http.Redirect(w, r, "/prijava", http.StatusSeeOther)
}
internal/middleware/auth.go
+4
View File
@@ -5,6 +5,7 @@ import (
"database/sql"
"errors"
"net/http"
"os"
"time"
"ntech/internal/db/sqlite"
@@ -39,6 +40,8 @@ func RequireAuth(db *sql.DB, totpKljuc []byte) func(http.Handler) http.Handler {
Path: "/",
Expires: time.Unix(0, 0),
MaxAge: -1,
Secure: os.Getenv("NTECH_ENV") == "production",
HttpOnly: true,
})
http.Redirect(w, r, "/prijava", http.StatusSeeOther)
return
@@ -154,6 +157,7 @@ func postaviFlashGresku(w http.ResponseWriter, poruka string) {
Path: "/",
MaxAge: 60,
HttpOnly: true,
Secure: os.Getenv("NTECH_ENV") == "production",
})
}