From 7930f2ec9918d7220f148f297e24f1120958dde6 Mon Sep 17 00:00:00 2001 From: db123-test Date: Mon, 11 May 2026 12:19:47 +0330 Subject: [PATCH] fix: validate action parameter and correct database health check logic - Add whitelist of valid actions to prevent arbitrary action values - Fix error handling to properly detect database failures Previously, any action value was accepted without validation, which could lead to unexpected behavior. The health check also incorrectly set dbOK to true when queries succeeded, now correctly sets it to false when errors occur. --- src/auth.go | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/src/auth.go b/src/auth.go index 9973939..428ef8d 100644 --- a/src/auth.go +++ b/src/auth.go @@ -243,8 +243,15 @@ func parseLogFilter(r *http.Request) (*logFilter, error) { Offset: 0, } + validActions := map[string]bool{ + "add_temp": true, "delete_temp": true, + "add_perm": true, "delete_perm": true, "expire_temp": true, + } + if v := r.URL.Query().Get("action"); v != "" { - f.Action = v + if validActions[v] { + f.Action = v + } } if v := r.URL.Query().Get("ip"); v != "" { f.IP = v @@ -333,13 +340,13 @@ func statusHandler(db *sql.DB) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { var permCount int var tempCount int - dbOK := false + dbOK := true - if err := db.QueryRow(`SELECT COUNT(*) FROM perm_whitelist`).Scan(&permCount); err == nil { - dbOK = true + if err := db.QueryRow(`SELECT COUNT(*) FROM perm_whitelist`).Scan(&permCount); err != nil { + dbOK = false } - if err := db.QueryRow(`SELECT COUNT(*) FROM temp_whitelist WHERE expires_at > ?`, time.Now().Format(time.RFC3339)).Scan(&tempCount); err == nil { - dbOK = true + if err := db.QueryRow(`SELECT COUNT(*) FROM temp_whitelist WHERE expires_at > ?`, time.Now().Format(time.RFC3339)).Scan(&tempCount); err != nil { + dbOK = false } health := map[string]interface{}{