this repo has no description
security: restrict DELETE endpoint to localhost only
Adds an isLocalhost check to prevent unauthorized deletion of links
from remote clients until proper authentication is implemented.
+27
+27
internal/handler/irclink.go
+27
internal/handler/irclink.go
···
37
37
url := r.URL.Query().Get("url")
38
38
39
39
if r.Method == http.MethodDelete {
40
+
// Restrict DELETE to localhost only until proper auth is implemented
41
+
if !isLocalhost(r) {
42
+
http.Error(w, "Forbidden", http.StatusForbidden)
43
+
return
44
+
}
45
+
40
46
idStr := r.URL.Query().Get("id")
41
47
if idStr == "" {
42
48
// Try path if valid (though usually query param here)
···
206
212
log.Printf("id: [%d] Location: %s", id, redirectURL)
207
213
http.Redirect(w, r, redirectURL, http.StatusFound)
208
214
}
215
+
216
+
// isLocalhost checks if the request originates from localhost/127.0.0.1
217
+
func isLocalhost(r *http.Request) bool {
218
+
host, _, err := strings.Cut(r.RemoteAddr, ":")
219
+
if err {
220
+
// No port separator found, use the whole string
221
+
host = r.RemoteAddr
222
+
}
223
+
224
+
// Check for IPv4 localhost
225
+
if host == "127.0.0.1" || host == "localhost" {
226
+
return true
227
+
}
228
+
229
+
// Check for IPv6 localhost
230
+
if host == "::1" || host == "[::1]" {
231
+
return true
232
+
}
233
+
234
+
return false
235
+
}