github/podinfo
1
0
Fork 0
mirror of https://github.com/stefanprodan/podinfo.git synced 2026-04-09 04:26:55 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,129 Commits 11 Branches 105 Tags
6.11.2
Commit Graph

6 Commits

Author SHA1 Message Date
Stefan Prodan
620b9b7e2c Fix path traversal in /store endpoint 
Validate that the hash URL parameter matches the expected SHA1 hex
format (40 lowercase hex characters) before using it in file path
operations.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2026-03-14 15:02:25 +02:00
Stefan Prodan
550ee9f7b9 Fix stored XSS in /store endpoint (CVE-2025-70849) 
Set Content-Type to application/octet-stream in storeReadHandler
to prevent Go's content sniffing from serving HTML payloads as
text/html. Add X-Content-Type-Options: nosniff to prevent browsers
from overriding Content-Type via MIME sniffing, and
Content-Security-Policy: default-src 'none' to block script
execution as defense-in-depth.

Signed-off-by: Stefan Prodan <stefan.prodan@gmail.com>
 2026-03-14 14:40:55 +02:00
Hans van den Bogert
7cc399463c feat(logging): add trace_id to debug log line 
... if exists in context
 2025-03-10 21:48:25 +01:00
Rodrigo Fior Kuntzer
eba7fe186e fix: panic when the WebSocket endpoint is under load 2024-05-23 10:01:01 +02:00
Michael Kebe
16191504d1 Removed reference to localhost from swagger 
Now it is possible to use the swagger webinterface
running on a host other than localhost e.g. in docker
or kubernetes.

Removed the @host line from pkg/api/server.go and
ran make swagger.

Fixes probably #179
 2024-04-09 08:54:38 +02:00
JayKaku
c305843105 restructured api to api/http, api/grpc, pkg http 2024-02-24 23:44:12 +05:30