Skip to content

fix: SSRF redirect bypass, ReDoS guard, MongoDB filter injection, unbounded caches, panic stack traces#43

Merged
caiwl merged 1 commit into
masterfrom
caiwl/bugs/final-hardening
Jun 24, 2026
Merged

fix: SSRF redirect bypass, ReDoS guard, MongoDB filter injection, unbounded caches, panic stack traces#43
caiwl merged 1 commit into
masterfrom
caiwl/bugs/final-hardening

Conversation

@caiwl

@caiwl caiwl commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Security & Reliability Hardening

Fixes all remaining findings from the final review sweep:

  1. SSRF redirect bypass (High) — Added CheckRedirect to HTTP clients that validates each redirect target against SSRF rules, blocking open-redirect-based SSRF
  2. ReDoS guard (Medium) — Added 1024-char limit on regex resource expressions (Go's RE2 prevents backtracking but long patterns still cost); rejected at policy registration
  3. MongoDB filter injection (Medium) — Validated filter field names (alphanumeric+underscore only) and reject target values containing ${}[]
  4. Unbounded caches (Medium) — compiledRegexCache capped at 10k entries; FuncResultCache capped at 50k entries
  5. Panic stack traces (Low) — All panic recovery blocks now log debug.Stack() for debuggability
  6. etcd backoff reset (Low) — consecutiveFails resets after successful watch run
  7. Condition length limit (Low) — compileCondition rejects expressions >4096 chars

🤖 Generated with Claude Code

…ounded caches, panic stack traces, condition length limit, and backoff reset

Co-Authored-By: Claude <noreply@anthropic.com>
@caiwl caiwl merged commit 04ca29d into master Jun 24, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant