lolly

xfy/lolly

Fork 0

Commit Graph

Author	SHA1	Message	Date
xfy	8224ae7ff3	feat(middleware/cors): add CORS middleware with server-level configuration Implement Cross-Origin Resource Sharing (CORS) middleware following the middleware.Middleware interface pattern. New config under security.cors: - enabled: toggle CORS handling (default false) - allowed_origins: exact origin list or ["*"] wildcard - allowed_methods: allowed HTTP methods for preflight - allowed_headers: allowed request headers for preflight - expose_headers: headers visible to frontend JS - allow_credentials: send cookies (incompatible with wildcard origin) - max_age: preflight cache duration in seconds Validation: - origins+credentials mutual exclusion per CORS spec - max_age non-negative check Integration: - Registered after SecurityHeaders, before ErrorIntercept in middleware chain - Preflight (OPTIONS) returns 204 with CORS headers, skips handler - Actual requests add CORS headers after handler execution - Non-matching origins pass through without CORS headers - 16 unit tests covering all scenarios	2026-06-11 23:41:38 +08:00
xfy911	65aaba4e59	docs(config): add package comments for config module - Add package documentation for cache, monitoring, performance, proxy, security, server, ssl, and variable config files - Include author attribution (xfy)	2026-06-03 15:28:53 +08:00
xfy	179090fa34	fix(security): 修复 2 个 CRITICAL + 6 个 HIGH 安全与代码质量问题安全修复: - ConnLimiter Acquire() TOCTOU 竞态: atomic.AddInt64 替代 loadInt64+addInt64 - Cache Purge token 时序侧信道: 改用 subtle.ConstantTimeCompare - Lua Cosocket SSRF: 新增 ip_guard 两层 IP 检查（字面量+解析后），拒绝私有/回环地址 - X-Accel-Redirect 路径遍历: urlpath.Clean + 前缀拒绝（/internal/ /admin/） - CRLF 注入: containsCRLF 校验变量展开后的 header 值，logging.Warn 可观测 - Proxy URI 注入: bytes.ContainsAny 检查 path 中的 @\r\n 危险字符代码质量: - disk_cache.go Set() 7 处静默 return 改为 logging.Error 日志记录 - config.go 从 2392 行拆分为 9 个按域文件（config/server/proxy/security/ssl/cache/performance/monitoring/variable）验证: go build + vet + golangci-lint(0 issues) + test(83.2% 无回归) + race detector 全部通过 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-28 10:13:47 +08:00

Author

SHA1

Message

Date

xfy

8224ae7ff3

feat(middleware/cors): add CORS middleware with server-level configuration

Implement Cross-Origin Resource Sharing (CORS) middleware following the
middleware.Middleware interface pattern.

New config under security.cors:
- enabled: toggle CORS handling (default false)
- allowed_origins: exact origin list or ["*"] wildcard
- allowed_methods: allowed HTTP methods for preflight
- allowed_headers: allowed request headers for preflight
- expose_headers: headers visible to frontend JS
- allow_credentials: send cookies (incompatible with wildcard origin)
- max_age: preflight cache duration in seconds

Validation:
- origins+credentials mutual exclusion per CORS spec
- max_age non-negative check

Integration:
- Registered after SecurityHeaders, before ErrorIntercept in middleware chain
- Preflight (OPTIONS) returns 204 with CORS headers, skips handler
- Actual requests add CORS headers after handler execution
- Non-matching origins pass through without CORS headers
- 16 unit tests covering all scenarios

2026-06-11 23:41:38 +08:00

xfy911

65aaba4e59

docs(config): add package comments for config module

- Add package documentation for cache, monitoring, performance, proxy,
  security, server, ssl, and variable config files
- Include author attribution (xfy)

2026-06-03 15:28:53 +08:00

xfy

179090fa34

fix(security): 修复 2 个 CRITICAL + 6 个 HIGH 安全与代码质量问题

安全修复:
- ConnLimiter Acquire() TOCTOU 竞态: atomic.AddInt64 替代 loadInt64+addInt64
- Cache Purge token 时序侧信道: 改用 subtle.ConstantTimeCompare
- Lua Cosocket SSRF: 新增 ip_guard 两层 IP 检查（字面量+解析后），拒绝私有/回环地址
- X-Accel-Redirect 路径遍历: urlpath.Clean + 前缀拒绝（/internal/ /admin/）
- CRLF 注入: containsCRLF 校验变量展开后的 header 值，logging.Warn 可观测
- Proxy URI 注入: bytes.ContainsAny 检查 path 中的 @\r\n 危险字符

代码质量:
- disk_cache.go Set() 7 处静默 return 改为 logging.Error 日志记录
- config.go 从 2392 行拆分为 9 个按域文件（config/server/proxy/security/ssl/cache/performance/monitoring/variable）

验证: go build + vet + golangci-lint(0 issues) + test(83.2% 无回归) + race detector 全部通过

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-28 10:13:47 +08:00

3 Commits