Security review fixes (Opus audit)#2
Merged
Merged
Conversation
Closes the two reachable vulnerabilities from the security review: - GO-2026-4762: grpc-go authorization bypass via missing leading slash in :path - GO-2026-4394: otel SDK code execution via PATH-resolved binary in resource detection govulncheck now reports 0 vulnerabilities affecting our code. Co-Authored-By: Claude Fable 5 <[email protected]>
JWT bundle: - add StreamServerInterceptor so streaming RPCs are authenticated (shared auth helper with unary); was a silent auth gap (#2) - RequireHTTPS no longer trusts X-Forwarded-Proto unless TrustedProxyHeader opt-in is set (#10) httpclient bundle: - strip Authorization + API-key header on cross-host redirects (#5) - sanitize URL in error-log path, matching success path (#12) - opt-in AllowedHosts SSRF guard on request and RawRequest paths (#14) framework + health: - redact raw dependency error strings from public health endpoint bodies; full detail stays in logs (#4) - opt-in basic auth for /metrics with constant-time comparison; warn when unauthenticated in production (#6) - block pprof outside development (was leaking in staging; old branch warned but never returned) (#7) - add Vary: Origin when reflecting a CORS origin (#13) config + configloader + redis: - gRPC reflection now requires explicit EnableReflection, not implicit in dev (#8) - redact connection-string values (DATABASE_URL/REDIS_URL) by name and URL-userinfo parsing (#9) - unique rate-limiter ZSET members to prevent same-nanosecond undercount (#11) govulncheck: 0 vulnerabilities affecting our code. Co-Authored-By: Claude Fable 5 <[email protected]>
Co-Authored-By: Claude Fable 5 <[email protected]>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Addresses all actionable findings from the Opus security review. Split across dependency bumps + four scoped areas; every fix verified with
golangci-lint(v2.12.2, matching CI), full-racesuite, andgovulncheck.HIGH
:path) — bumped grpc-go v1.75.1 → v1.79.3. Was the only reachable CVE undermining path/method authz.StreamServerInterceptor()sharing one auth helper with the unary path.MEDIUM
dial tcp 10.0.1.5:5432: ...) were served unauthenticated. Public endpoint bodies are now redacted (name + status only); full detail still goes to logs./health,/health/ready,/health/liveresponse body — the per-checkerrorfield is gone.Authorizationbut not custom headers on cross-domain redirects. Added aCheckRedirectthat dropsAuthorization+ the API-key header on host change.HTTPServerConfig; warns when unauthenticated in production. Default behavior unchanged.IsProduction()-only, and the staging branch warned but never returned, so pprof actually registered in staging. Now blocked outside development.LOW
EnableReflection(was implicitly on in dev, and dev is the default env).DATABASE_URL/REDIS_URL) by name and by URL-userinfo parsing.RequireHTTPSno longer trustsX-Forwarded-ProtounlessTrustedProxyHeaderopt-in is set.Vary: Originwhen reflecting an origin.AllowedHostsSSRF guard on httpclient request paths.Verified sound (no change needed)
JWT algorithm confusion (HS256 pinned), 32-byte secret minimum, full claim validation, no-cache of server-side validation, atomic Lua lock unlock, no dynamic SQL, httpclient TLS floor, CORS wildcard+credentials rejection.
Known residual (follow-up, not in this PR)
AllowedHostsvalidates the initial URL only, not redirect targets — a redirect to a disallowed host isn't blocked (though credentials are stripped on cross-host hops per the redirect fix).govulnchecknow reports 0 vulnerabilities affecting our code (was 2 reachable).🤖 Generated with Claude Code