Merge pull request #42 from nicholas-fedor/38-bug---unchecked-input-size

Fix Input Validation Issues on Client and Server Sides

Author: nicholas-fedor

.golangci.yaml

@@ -0,0 +1,34 @@
+linters:
+  enable-all: true
+  disable-all: false
+  fast: true
+  disable:
+    - cyclop
+    - depguard
+    - funlen
+    - gci
+    - gochecknoinits
+    - gocognit
+    - lll
+    - nestif
+    - testpackage
+
+linters-settings:
+  gci:
+    skip-generated: true
+    no-inline-comments: true
+    no-prefix-comments: true
+    custom-order: false
+    no-lex-order: false
+    sections:
+      - standard
+      - default
+  gofmt:
+    simplify: true
+
+output:
+  print-issued-lines: true
+  print-linter-name: false
+  path-prefix: ""
+  show-stats: false
+  sort-results: true

cmd/server/main.go

@@ -30,32 +30,41 @@ type Config struct {
 
 // LoadConfig loads server configuration from environment variables.
 // It defaults to port ":8080" if PORT is unset and processes TRUSTED_PROXIES as a comma-separated list,
-// trimming whitespace and logging warnings for empty entries. Returns the configuration and any error encountered.
+// trimming whitespace, logging warnings for empty entries, and filtering them out. Returns the configuration and any error encountered.
 func LoadConfig() (Config, error) {
 	config := Config{Port: defaultPort, StaticDir: defaultStaticDir}
 	if port := os.Getenv("PORT"); port != "" {
 		config.Port = ":" + port
 	}
+
 	if proxies := os.Getenv(trustedProxiesEnv); proxies != "" {
-		config.TrustedProxies = strings.Split(proxies, ",")
-		for i, proxy := range config.TrustedProxies {
-			config.TrustedProxies[i] = strings.TrimSpace(proxy)
-			if config.TrustedProxies[i] == "" {
+		proxyList := strings.Split(proxies, ",")
+
+		var validProxies []string
+
+		for _, proxy := range proxyList {
+			trimmedProxy := strings.TrimSpace(proxy)
+			if trimmedProxy == "" {
 				slog.Warn("Empty proxy entry in TRUSTED_PROXIES")
+			} else {
+				validProxies = append(validProxies, trimmedProxy)
 			}
 		}
+
+		config.TrustedProxies = validProxies
 	}
+
 	if staticDir := os.Getenv(staticDirEnv); staticDir != "" {
 		config.StaticDir = staticDir
 	} else {
-		// Resolve defaultStaticDir relative to the executable's directory
 		exePath, err := os.Executable()
 		if err != nil {
 			slog.Warn("Failed to determine executable path, using default static dir", "error", err)
 		} else {
 			config.StaticDir = filepath.Join(filepath.Dir(exePath), defaultStaticDir)
 		}
 	}
+
 	return config, nil
 }
 
@@ -96,6 +105,7 @@ func main() {
 	}
 
 	slog.Info("Starting server", "port", config.Port, "static_dir", config.StaticDir)
+
 	if err := router.Run(config.Port); err != nil {
 		slog.Error("Server failed", "error", err)
 		os.Exit(1)

cmd/server/main_test.go

@@ -4,6 +4,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"os"
 	"path/filepath"
 	"strings"
 	"testing"
@@ -16,15 +17,19 @@ import (
 // It loads the server configuration and sets up the router, failing the test if either step encounters an error.
 func setupRouter(t *testing.T) *gin.Engine {
 	t.Helper()
+
 	config, err := LoadConfig()
 	if err != nil {
 		t.Fatalf("Failed to load config: %v", err)
 	}
+
 	config.StaticDir = filepath.Join("..", "..", "static")
+
 	r, err := SetupRouter(config)
 	if err != nil {
 		t.Fatalf("Failed to setup router: %v", err)
 	}
+
 	return r
 }
 
@@ -88,13 +93,15 @@ func TestRouterSetup(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			router := setupRouter(t)
+
 			var req *http.Request
 			if tt.method == "POST" {
 				req, _ = http.NewRequest(tt.method, tt.path, strings.NewReader(tt.formData.Encode()))
 				req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 			} else {
 				req, _ = http.NewRequest(tt.method, tt.path, nil)
 			}
+
 			resp := httptest.NewRecorder()
 			router.ServeHTTP(resp, req)
 			assert.Equal(t, tt.wantStatus, resp.Code, "Status code")
@@ -117,6 +124,7 @@ func TestTrustedProxies(t *testing.T) {
 		wantBody       string
 		wantError      bool
 	}{
+		// Existing test cases remain unchanged
 		{
 			name:           "No trusted proxies",
 			trustedProxies: "",
@@ -145,6 +153,16 @@ func TestTrustedProxies(t *testing.T) {
 			wantBody:       "",
 			wantError:      true,
 		},
+		// New test case for Line 45 - Empty proxy entry
+		{
+			name:           "Trusted proxies with empty entry",
+			trustedProxies: "192.168.1.1,,10.0.0.1",
+			remoteAddr:     "192.168.1.1:12345",
+			xForwardedFor:  "203.0.113.1",
+			wantClientIP:   "203.0.113.1",
+			wantStatus:     http.StatusOK,
+			wantBody:       "EUI-64 Calculator",
+		},
 	}
 
 	for _, tt := range tests {
@@ -158,32 +176,98 @@ func TestTrustedProxies(t *testing.T) {
 			if tt.wantError {
 				_, err := SetupRouter(Config{Port: defaultPort, TrustedProxies: strings.Split(tt.trustedProxies, ",")})
 				assert.Error(t, err, "Expected error for invalid proxy")
+
 				return
 			}
 
 			router := setupRouter(t)
-			req, _ := http.NewRequest("GET", "/", nil)
+			req, _ := http.NewRequest(http.MethodGet, "/", nil)
 			req.RemoteAddr = tt.remoteAddr
+
 			if tt.xForwardedFor != "" {
 				req.Header.Set("X-Forwarded-For", tt.xForwardedFor)
 			}
+
 			resp := httptest.NewRecorder()
 			router.ServeHTTP(resp, req)
 			assert.Equal(t, tt.wantStatus, resp.Code, "Status code")
 			assert.Contains(t, resp.Body.String(), tt.wantBody, "Response body")
 
 			var gotClientIP string
+
 			router.GET("/test-ip", func(c *gin.Context) {
 				gotClientIP = c.ClientIP()
 			})
-			req, _ = http.NewRequest("GET", "/test-ip", nil)
+
+			req, _ = http.NewRequest(http.MethodGet, "/test-ip", nil)
 			req.RemoteAddr = tt.remoteAddr
+
 			if tt.xForwardedFor != "" {
 				req.Header.Set("X-Forwarded-For", tt.xForwardedFor)
 			}
+
 			resp = httptest.NewRecorder()
 			router.ServeHTTP(resp, req)
 			assert.Equal(t, tt.wantClientIP, gotClientIP, "Client IP")
 		})
 	}
 }
+
+// New TestLoadConfig to cover Lines 37 and 56.
+func TestLoadConfig(t *testing.T) {
+	tests := []struct {
+		name           string
+		portEnv        string
+		trustedProxies string
+		staticDirEnv   string
+		wantPort       string
+		wantProxies    []string
+		wantStaticDir  string
+	}{
+		{
+			name:           "Default config",
+			portEnv:        "",
+			trustedProxies: "",
+			staticDirEnv:   "",
+			wantPort:       defaultPort,
+			wantProxies:    nil,
+			wantStaticDir:  filepath.Join(filepath.Dir(os.Args[0]), defaultStaticDir), // Approximation
+		},
+		{
+			name:           "Custom port (Line 37)",
+			portEnv:        "9090",
+			trustedProxies: "",
+			staticDirEnv:   "",
+			wantPort:       ":9090",
+			wantProxies:    nil,
+			wantStaticDir:  filepath.Join(filepath.Dir(os.Args[0]), defaultStaticDir),
+		},
+		{
+			name:           "Custom static dir",
+			portEnv:        "",
+			trustedProxies: "",
+			staticDirEnv:   "/custom/static",
+			wantPort:       defaultPort,
+			wantProxies:    nil,
+			wantStaticDir:  "/custom/static",
+		},
+		// Note: Line 56 (os.Executable failure) is harder to test directly without mocking.
+		// We can assume it works if STATIC_DIR is unset and defaultStaticDir is used.
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			// Clear and set environment variables
+			t.Setenv("PORT", tt.portEnv)
+			t.Setenv(trustedProxiesEnv, tt.trustedProxies)
+			t.Setenv(staticDirEnv, tt.staticDirEnv)
+
+			config, err := LoadConfig()
+			assert.NoError(t, err, "LoadConfig should not error")
+
+			assert.Equal(t, tt.wantPort, config.Port, "Port")
+			assert.Equal(t, tt.wantProxies, config.TrustedProxies, "TrustedProxies")
+			assert.Equal(t, tt.wantStaticDir, config.StaticDir, "StaticDir")
+		})
+	}
+}

go.mod

@@ -11,7 +11,7 @@ require (
 
 require (
 	github.com/andybalholm/cascadia v1.3.3 // indirect
-	github.com/bytedance/sonic v1.12.8 // indirect
+	github.com/bytedance/sonic v1.12.10 // indirect
 	github.com/bytedance/sonic/loader v0.2.3 // indirect
 	github.com/cloudwego/base64x v0.1.5 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
@@ -22,7 +22,7 @@ require (
 	github.com/go-playground/validator/v10 v10.25.0 // indirect
 	github.com/goccy/go-json v0.10.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/cpuid/v2 v2.2.9 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
@@ -32,7 +32,7 @@ require (
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.12 // indirect
 	golang.org/x/arch v0.14.0 // indirect
-	golang.org/x/crypto v0.33.0 // indirect
+	golang.org/x/crypto v0.35.0 // indirect
 	golang.org/x/net v0.35.0 // indirect
 	golang.org/x/sys v0.30.0 // indirect
 	golang.org/x/text v0.22.0 // indirect

go.sum

@@ -4,8 +4,8 @@ github.com/a-h/templ v0.3.833 h1:L/KOk/0VvVTBegtE0fp2RJQiBm7/52Zxv5fqlEHiQUU=
 github.com/a-h/templ v0.3.833/go.mod h1:cAu4AiZhtJfBjMY0HASlyzvkrtjnHWPeEsyGK2YYmfk=
 github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kktS1LM=
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
-github.com/bytedance/sonic v1.12.8 h1:4xYRVRlXIgvSZ4e8iVTlMF5szgpXd4AfvuWgA8I8lgs=
-github.com/bytedance/sonic v1.12.8/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
+github.com/bytedance/sonic v1.12.10 h1:uVCQr6oS5669E9ZVW0HyksTLfNS7Q/9hV6IVS4nEMsI=
+github.com/bytedance/sonic v1.12.10/go.mod h1:uVvFidNmlt9+wa31S1urfwwthTWteBgG0hWuoKAXTx8=
 github.com/bytedance/sonic/loader v0.1.1/go.mod h1:ncP89zfokxS5LZrJxl5z0UJcsk4M4yY2JpfqGeCtNLU=
 github.com/bytedance/sonic/loader v0.2.3 h1:yctD0Q3v2NOGfSWPLPvG2ggA2kV6TS6s4wioyEqssH0=
 github.com/bytedance/sonic/loader v0.2.3/go.mod h1:N8A3vUdtUebEY2/VQC0MyhYeKUFosQU6FxH2JmUe6VI=
@@ -37,8 +37,8 @@ github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.2.9 h1:66ze0taIn2H33fBvCkXuv9BmCwDfafmiIVpKV9kKGuY=
-github.com/klauspost/cpuid/v2 v2.2.9/go.mod h1:rqkxqrZ1EhYM9G+hXH7YdowN5R5RGN6NK4QwQ3WMXF8=
+github.com/klauspost/cpuid/v2 v2.2.10 h1:tBs3QSyvjDyFTq3uoc/9xFpCuOsJQFNPiAhYdw2skhE=
+github.com/klauspost/cpuid/v2 v2.2.10/go.mod h1:hqwkgyIinND0mEev00jJYCxPNVRVXFQeu1XKlok6oO0=
 github.com/knz/go-libedit v1.10.1/go.mod h1:MZTVkCWyz0oBc7JOWP3wNAzd002ZbM/5hgShxwh4x8M=
 github.com/leodido/go-urn v1.4.0 h1:WT9HwE9SGECu3lg4d/dIA+jxlljEa1/ffXKmRjqdmIQ=
 github.com/leodido/go-urn v1.4.0/go.mod h1:bvxc+MVxLKB4z00jd1z+Dvzr47oO32F/QSNjSBOlFxI=
@@ -78,8 +78,8 @@ golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliY
 golang.org/x/crypto v0.19.0/go.mod h1:Iy9bg/ha4yyC70EfRS8jz+B6ybOBKMaSxLj6P6oBDfU=
 golang.org/x/crypto v0.23.0/go.mod h1:CKFgDieR+mRhux2Lsu27y0fO304Db0wZe70UKqHu0v8=
 golang.org/x/crypto v0.31.0/go.mod h1:kDsLvtWBEx7MV9tJOj9bnXsPbxwJQ6csT/x4KIN4Ssk=
-golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus=
-golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M=
+golang.org/x/crypto v0.35.0 h1:b15kiHdrGCHrP6LvwaQ3c03kgNhhiMgvlhxHQhmg2Xs=
+golang.org/x/crypto v0.35.0/go.mod h1:dy7dXNW32cAb/6/PRuTNsix8T+vJAqvuIy5Bli/x0YQ=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.12.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=