github/podinfo
1
0
Fork 0
mirror of https://github.com/stefanprodan/podinfo.git synced 2026-05-23 09:52:46 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,156 Commits 10 Branches 106 Tags
30ac3ce0427bc62cea1aacc46ee693467a2b610e
Commit Graph

89 Commits

Author SHA1 Message Date
Stefan Prodan
2ca58cf0a4 Migrate JWT to registered claims 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2026-05-20 11:11:58 +03:00
Stefan Prodan
4920afdafb Improve test coverage of the HTTP API 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2026-05-20 11:07:35 +03:00
Stefan Prodan
7d8e7005b1 Refactor response header settings 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2026-05-20 10:50:31 +03:00
Niccolò Parlanti
6210e0a920 test(echo): assert nosniff Content-Type on echo direct-response 
Regression test for CVE-2026-43644, mirroring the TestStoreReadHandler_ContentType
test added in #463. Verifies the echoHandler direct-response branch returns
application/octet-stream, X-Content-Type-Options: nosniff, and a restrictive CSP
so an HTML payload cannot be MIME-sniffed and executed.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-16 23:47:28 +02:00
Niccolò Parlanti
b65271f0d9 fix(echo): set Content-Type to prevent MIME-sniff XSS (CVE-2026-43644) 
Use tab indentation to match gofmt.

Signed-off-by: Niccolò Parlanti <54103711+Niccolo10@users.noreply.github.com>
 2026-05-15 12:51:00 +02:00
Stefan Prodan
620b9b7e2c Fix path traversal in /store endpoint 
Validate that the hash URL parameter matches the expected SHA1 hex
format (40 lowercase hex characters) before using it in file path
operations.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2026-03-14 15:02:25 +02:00
Stefan Prodan
550ee9f7b9 Fix stored XSS in /store endpoint (CVE-2025-70849) 
Set Content-Type to application/octet-stream in storeReadHandler
to prevent Go's content sniffing from serving HTML payloads as
text/html. Add X-Content-Type-Options: nosniff to prevent browsers
from overriding Content-Type via MIME sniffing, and
Content-Security-Policy: default-src 'none' to block script
execution as defense-in-depth.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2026-03-14 14:40:55 +02:00
Hans van den Bogert
7cc399463c feat(logging): add trace_id to debug log line 
... if exists in context
 2025-03-10 21:48:25 +01:00
Prashant Dwivedi
b10c3067c8 Removed the whitespaces 
Signed-off-by: Prashant Dwivedi <prashantdwivedi194@gmail.com>
 2024-06-23 22:47:58 +05:30
Prashant Dwivedi
85cd1c46d4 Removed unnecessary comments and whitespaces 
Signed-off-by: Prashant Dwivedi <prashantdwivedi194@gmail.com>
 2024-06-23 21:59:50 +05:30
Prashant Dwivedi
1a6838a4a2 Merge branch 'master' of github.com:Prashant-Dwivedi-08-01/podinfo into grpc_APIs 2024-06-07 20:27:13 +05:30
Rodrigo Fior Kuntzer
eba7fe186e fix: panic when the WebSocket endpoint is under load 2024-05-23 10:01:01 +02:00
Prashant Dwivedi
9108833214 Added the token Validate api and updated the test for it 2024-05-09 12:56:54 +05:30
Prashant Dwivedi
386ceb09be Added the grpc APIs for the remaining HTTP apis 2024-05-08 00:25:37 +05:30
needsure
37fa020bcd chore: fix some typos in conments 
Signed-off-by: needsure <qinzhipeng@outlook.com>
 2024-04-09 16:45:31 +08:00
Michael Kebe
16191504d1 Removed reference to localhost from swagger 
Now it is possible to use the swagger webinterface
running on a host other than localhost e.g. in docker
or kubernetes.

Removed the @host line from pkg/api/server.go and
ran make swagger.

Fixes probably #179
 2024-04-09 08:54:38 +02:00
JayKaku
2251bee699 Fixed parsing logger in echo_test.go service registeration 2024-02-24 23:44:12 +05:30
JayKaku
8535efccb7 Implemented zap logger in place of log | gprc echo 2024-02-24 23:44:12 +05:30
JayKaku
e008d1f261 Added config, logger for grpc echo api 2024-02-24 23:44:12 +05:30
Jay Kaku
22097353d2 Feature grpc version echo api (#3) 
added grpc verion and echo apis

---------

Co-authored-by: Prashant Dwivedi <prashantdwivedi194@gmail.com>
 2024-02-24 23:44:12 +05:30
JayKaku
c305843105 restructured api to api/http, api/grpc, pkg http 2024-02-24 23:44:12 +05:30
Stefan Prodan
0278e11a05 Update dependencies 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2023-09-22 23:24:32 +03:00
Jacob Chambliss
7280e43cbf chore: add pathprefix to enable dynamic paths for echo 2023-06-08 10:14:21 -05:00
Jacob Chambliss
3ef0b4cd09 feat: add dynamic path support for echo endpoint 2023-06-07 16:55:25 -05:00
Stefan Prodan
2a6533c68a Update dependencies 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2023-05-03 17:00:48 +03:00
Stefan Prodan
bbce3f3f67 Update dependencies 
- github.com/spf13/cobra v1.7.0
- github.com/swaggo/http-swagger v1.3.4
- github.com/swaggo/swag v1.8.12
- google.golang.org/grpc v1.54.0

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2023-04-06 10:35:43 +03:00
Stefan Prodan
298c1ae941 Update dependencies 
- Replace `dgrijalva/jwt-go` with `golang-jwt/jwt`
- Replace `ioutil` with `io` and `os`

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2023-02-03 11:42:17 +02:00
Kajetan
0d62402ae9 Graceful shutdown 2022-10-18 17:31:51 +02:00
Stefan Prodan
394c40e3ff Update Swagger packages and definition 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2022-07-27 18:59:22 +03:00
FlomoN
2eb17d80c8 add some more params to other api routes with path based params 2022-06-20 18:37:13 +02:00
FlomoN
678a42ce34 recreate docs 2022-06-20 18:26:34 +02:00
FlomoN
8697f091f3 Add params to godoc for cache 2022-06-20 14:20:34 +02:00
Paul Carlton
19603ddfc1 Fix panic triggering via HTTP API (#197) 
Fix GET /panic

The GET /panic api call is not working due the the logger.Panic method
failing to call panic. This change replaces the logger.Panic method
call with logger.Info and adds a call to os.Exit(255).
 2022-05-24 12:03:54 +03:00
Martín Montes
065a18c258 Adapted cache to support redis authentication 2022-03-23 22:13:14 +01:00
Stefan Prodan
be80733cea Disable tracing by default 
To enable OTEL tracing, the `--otel-service-name` flag must be set.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2022-03-12 12:58:39 +02:00
Rajat Vig
38a7952407 Reformat 2022-01-10 16:19:45 +00:00
Rajat Vig
de90d92697 Remove default to insecure GRPC 2022-01-02 00:19:18 +00:00
Rajat Vig
22ee79fcb8 Add the copyheaders code back 2021-12-22 14:13:36 +00:00
Rajat Vig
c4f2a6c5e6 Setup different name; Copying of headers is not required for spans 2021-12-22 01:29:21 +00:00
Rajat Vig
ab9f7410c2 Get a docker-compose for example; Port code to otel-grpc 2021-12-22 01:09:49 +00:00
Rajat Vig
2c85a72737 Add back copyTraceHeaders() as OpenTelemetry does not default propagate 2021-12-16 14:12:32 +00:00
Rajat Vig
3970a3a323 Add noop tracer to the mockServer; migrate to go 1.17 2021-12-16 13:37:01 +00:00
Ilya Dmitrichenko
61d6ed42f5 Add OpenTelemetry tracer 2021-12-16 12:39:10 +00:00
Kajetan
6c596bf19b Remove duplicated endpoint 2021-11-14 14:36:09 +01:00
Stefan Prodan
6a78560d28 Update dgrijalva/jwt-go to v4 (#133) 
Fix for CVE-2020-26160 https://avd.aquasec.com/nvd/cve-2020-26160/

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2021-05-13 15:30:43 +03:00
Brian Fox
8c93f05fa9 feat: add option to bind service to specific host 2021-04-16 08:07:56 +02:00
Stefan Prodan
885a35eebf Update Go to v1.16 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2021-03-21 13:37:26 +02:00
Deavon M. McCaffery
c38f357872 feat(podinfo): add secure port for end-to-end tls 
* add `secure-port` argument to podinfo
* add `cert-path` argument to podinfo
* add http server for secure port
* normalise http/https server start
 2020-11-17 23:01:41 +00:00
Stefan Prodan
13f7ec7ba1 Update swagger docs 
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2020-10-28 11:22:26 +02:00
Chris Loukas
20a136a73c Revisit random-delay 
If enabled it will still delay randomly between 0-5 seconds.

However, the functionality to fine grain this is added.
Both seconds and milliseconds are supported now. Moreover,
min/max values for random delay can be condigured through
pflag params
 2020-06-25 11:41:21 +03:00