Regression test for CVE-2026-43644, mirroring the TestStoreReadHandler_ContentType
test added in #463. Verifies the echoHandler direct-response branch returns
application/octet-stream, X-Content-Type-Options: nosniff, and a restrictive CSP
so an HTML payload cannot be MIME-sniffed and executed.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Validate that the hash URL parameter matches the expected SHA1 hex
format (40 lowercase hex characters) before using it in file path
operations.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Set Content-Type to application/octet-stream in storeReadHandler
to prevent Go's content sniffing from serving HTML payloads as
text/html. Add X-Content-Type-Options: nosniff to prevent browsers
from overriding Content-Type via MIME sniffing, and
Content-Security-Policy: default-src 'none' to block script
execution as defense-in-depth.
Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
Now it is possible to use the swagger webinterface
running on a host other than localhost e.g. in docker
or kubernetes.
Removed the @host line from pkg/api/server.go and
ran make swagger.
Fixes probably #179
