olemd/favoritter
1
0
Fork 0
Code Issues Pull requests Projects Releases 1 Packages Wiki Activity Actions
favoritter/internal/handler/feed.go
Ole-Morten Duesund 395b1b7523 fix: address security and quality issues from code review 
Security fixes:
- Fix XSS in Atom feed: escape user-supplied URLs in HTML content
- Wrap signup request approval in a transaction to prevent
  partial state on crash (user created but request still pending)
- Stop leaking internal error messages to admin UI
- Add request body size limit on API import endpoint
- Log SetMustResetPassword errors instead of silently discarding

Correctness fixes:
- Handle errors from API fave update/delete instead of returning
  success on failure
- Use actual data timestamp for feed <updated> instead of
  time.Now() (improves HTTP caching)
- Replace hardcoded 10000 export limit with named constant
  (maxExportFaves = 100000)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-29 16:19:44 +02:00

171 lines
4.4 KiB
Go
Raw Blame History

// SPDX-License-Identifier: AGPL-3.0-or-later
package handler
import (
"errors"
"html"
"log/slog"
"net/http"
"strconv"
"time"
"github.com/gorilla/feeds"
"kode.naiv.no/olemd/favoritter/internal/model"
"kode.naiv.no/olemd/favoritter/internal/store"
)
const feedPageSize = 50
// handleFeedGlobal generates an Atom feed of all public faves.
func (h *Handler) handleFeedGlobal(w http.ResponseWriter, r *http.Request) {
baseURL := h.deps.Config.BaseURL(r.Host)
faves, _, err := h.deps.Faves.ListPublic(feedPageSize, 0)
if err != nil {
slog.Error("feed: list public error", "error", err)
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
if err := h.deps.Faves.LoadTags(faves); err != nil {
slog.Error("feed: load tags error", "error", err)
}
settings, _ := h.deps.Settings.Get()
siteName := "Favoritter"
if settings != nil {
siteName = settings.SiteName
}
feed := &feeds.Feed{
Title: siteName + " — Siste favoritter",
Link: &feeds.Link{Href: baseURL},
Description: "Siste offentlige favoritter",
Updated: feedUpdatedTime(faves),
}
feed.Items = favesToFeedItems(faves, baseURL)
h.writeAtom(w, feed)
}
// handleFeedUser generates an Atom feed for a user's public faves.
func (h *Handler) handleFeedUser(w http.ResponseWriter, r *http.Request) {
username := r.PathValue("username")
baseURL := h.deps.Config.BaseURL(r.Host)
user, err := h.deps.Users.GetByUsername(username)
if err != nil {
if errors.Is(err, store.ErrUserNotFound) {
http.NotFound(w, r)
return
}
slog.Error("feed: get user error", "error", err)
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
if user.Disabled || user.ProfileVisibility == "limited" {
http.NotFound(w, r)
return
}
faves, _, err := h.deps.Faves.ListPublicByUser(user.ID, feedPageSize, 0)
if err != nil {
slog.Error("feed: list user faves error", "error", err)
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
if err := h.deps.Faves.LoadTags(faves); err != nil {
slog.Error("feed: load tags error", "error", err)
}
feed := &feeds.Feed{
Title: user.DisplayNameOrUsername() + " sine favoritter",
Link: &feeds.Link{Href: baseURL + "/u/" + user.Username},
Updated: feedUpdatedTime(faves),
}
feed.Items = favesToFeedItems(faves, baseURL)
h.writeAtom(w, feed)
}
// handleFeedTag generates an Atom feed for a tag's public faves.
func (h *Handler) handleFeedTag(w http.ResponseWriter, r *http.Request) {
tagName := r.PathValue("name")
baseURL := h.deps.Config.BaseURL(r.Host)
faves, _, err := h.deps.Faves.ListByTag(tagName, feedPageSize, 0)
if err != nil {
slog.Error("feed: list by tag error", "error", err)
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
if err := h.deps.Faves.LoadTags(faves); err != nil {
slog.Error("feed: load tags error", "error", err)
}
feed := &feeds.Feed{
Title: "Favoritter med merkelapp: " + tagName,
Link: &feeds.Link{Href: baseURL + "/tags/" + tagName},
Updated: feedUpdatedTime(faves),
}
feed.Items = favesToFeedItems(faves, baseURL)
h.writeAtom(w, feed)
}
func favesToFeedItems(faves []*model.Fave, baseURL string) []*feeds.Item {
items := make([]*feeds.Item, 0, len(faves))
for _, f := range faves {
item := &feeds.Item{
Title: f.Description,
Link: &feeds.Link{Href: baseURL + "/faves/" + itoa(f.ID)},
Author: &feeds.Author{Name: f.DisplayName},
Created: f.CreatedAt,
Updated: f.UpdatedAt,
}
if f.URL != "" {
escaped := html.EscapeString(f.URL)
item.Content = `<p><a href="` + escaped + `">` + escaped + `</a></p>`
}
if f.ImagePath != "" {
item.Enclosure = &feeds.Enclosure{
Url: baseURL + "/uploads/" + f.ImagePath,
Type: "image/jpeg",
}
}
items = append(items, item)
}
return items
}
func (h *Handler) writeAtom(w http.ResponseWriter, feed *feeds.Feed) {
atom, err := feed.ToAtom()
if err != nil {
slog.Error("feed: generate atom error", "error", err)
http.Error(w, "Internal error", http.StatusInternalServerError)
return
}
w.Header().Set("Content-Type", "application/atom+xml; charset=utf-8")
w.Write([]byte(atom))
}
// feedUpdatedTime returns the most recent UpdatedAt from the faves,
// falling back to now if the list is empty.
func feedUpdatedTime(faves []*model.Fave) time.Time {
if len(faves) > 0 {
return faves[0].UpdatedAt
}
return time.Now()
}
func itoa(n int64) string {
return strconv.FormatInt(n, 10)
}
Reference in a new issue View git blame Copy permalink