akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 5 Packages Projects Releases Wiki Activity
Files
85828ea695397beec4b53a1fef4f649e3689a2cc
Charon/backend/internal/api/handlers/backup_handler_sanitize_test.go
T
GitHub Actions 4d639698bb Enhance logging security by sanitizing sensitive data 
- Implemented filename sanitization in backup, import, and certificate handlers to prevent log injection attacks.
- Added tests to ensure filenames are sanitized correctly in backup and import handlers.
- Updated notification and domain handlers to sanitize domain names before logging.
- Introduced middleware functions for sanitizing request paths and headers to redact sensitive information in logs.
- Enhanced recovery middleware to sanitize logged paths and headers during panic situations.
- Updated various services to log sanitized values for sensitive fields.
2025-12-01 16:22:21 +00:00

51 lines
1.5 KiB
Go
Raw Blame History

package handlers
import (
"bytes"
"net/http"
"net/http/httptest"
"path/filepath"
"testing"
"strings"
"os"
"github.com/Wikid82/charon/backend/internal/logger"
"github.com/Wikid82/charon/backend/internal/services"
"github.com/gin-gonic/gin"
)
func TestBackupHandlerSanitizesFilename(t *testing.T) {
gin.SetMode(gin.TestMode)
tmpDir := t.TempDir()
// prepare a fake "database"
dbPath := filepath.Join(tmpDir, "db.sqlite")
if err := os.WriteFile(dbPath, []byte("db"), 0o644); err != nil {
t.Fatalf("failed to create tmp db: %v", err)
}
svc := &services.BackupService{DataDir: tmpDir, BackupDir: tmpDir, DatabaseName: "db.sqlite", Cron: nil}
h := NewBackupHandler(svc)
router := gin.New()
router.GET("/backups/:filename/restore", h.Restore)
// initialize logger to buffer
buf := &bytes.Buffer{}
logger.Init(true, buf)
// Create a malicious filename with newline and path components
malicious := "../evil\nname"
// Use path escape to send as URL
req := httptest.NewRequest(http.MethodPost, "/backups/"+strings.ReplaceAll(malicious, "\n", "%0A")+"/restore", nil)
w := httptest.NewRecorder()
router.ServeHTTP(w, req)
out := buf.String()
if strings.Contains(out, "\n") {
t.Fatalf("log contained raw newline in filename: %s", out)
}
if strings.Contains(out, "..") {
t.Fatalf("log contained path traversals in filename: %s", out)
}
}
Reference in New Issue View Git Blame Copy Permalink