akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity

fix: reset models.Setting struct to prevent ID leakage in queries

Browse Source 
- Added a reset of the models.Setting struct before querying for settings in both the Manager and Cerberus components to avoid ID leakage from previous queries.
- Introduced new functions in Cerberus for checking admin authentication and admin whitelist status.
- Enhanced middleware logic to allow admin users to bypass ACL checks if their IP is whitelisted.
- Added tests to verify the behavior of the middleware with respect to ACLs and admin whitelisting.
- Created a new utility for checking if an IP is in a CIDR list.
- Updated various services to use `Where` clause for fetching records by ID instead of directly passing the ID to `First`, ensuring consistency in query patterns.
- Added comprehensive tests for settings queries to demonstrate and verify the fix for ID leakage issues.
This commit is contained in:
GitHub Actions
2026-01-28 10:29:49 +00:00
parent 38b6ff0314
commit 0854f94089
39 changed files with 2881 additions and 225 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/internal/api/handlers/security_handler_cache_test.go
+48
View File
@@ -0,0 +1,48 @@
package handlers
import (
"net/http"
"net/http/httptest"
"testing"
"github.com/gin-gonic/gin"
"github.com/stretchr/testify/require"
"github.com/Wikid82/charon/backend/internal/config"
"github.com/Wikid82/charon/backend/internal/models"
)
type testCacheInvalidator struct {
calls int
}
func (t *testCacheInvalidator) InvalidateCache() {
t.calls++
}
func TestSecurityHandler_ToggleSecurityModule_InvalidatesCache(t *testing.T) {
gin.SetMode(gin.TestMode)
db := setupTestDB(t)
require.NoError(t, db.AutoMigrate(&models.Setting{}))
cache := &testCacheInvalidator{}
handler := NewSecurityHandlerWithDeps(config.SecurityConfig{}, db, nil, cache)
router := gin.New()
router.Use(func(c *gin.Context) {
c.Set("role", "admin")
c.Next()
})
router.POST("/security/waf/enable", handler.EnableWAF)
w := httptest.NewRecorder()
req, _ := http.NewRequest("POST", "/security/waf/enable", http.NoBody)
router.ServeHTTP(w, req)
require.Equal(t, http.StatusOK, w.Code)
require.Equal(t, 1, cache.calls)
var setting models.Setting
require.NoError(t, db.Where("key = ?", "security.waf.enabled").First(&setting).Error)
require.Equal(t, "true", setting.Value)
}