From bac73556c98fb94d5c790c211b7e535f878ca85a Mon Sep 17 00:00:00 2001 From: "google-labs-jules[bot]" <161369871+google-labs-jules[bot]@users.noreply.github.com> Date: Wed, 18 Feb 2026 05:03:24 +0000 Subject: Fix unbounded memory usage in crawler (DoS) Co-authored-by: adammathes <868470+adammathes@users.noreply.github.com> --- .golangci.yml | 17 ++++++++--------- Dockerfile | 4 ++-- internal/crawler/security_test.go | 7 ++++--- models/item/item_bench_test.go | 4 ++-- 4 files changed, 16 insertions(+), 16 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index cca0900..6cb17b1 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -4,22 +4,21 @@ run: timeout: 5m linters: - default: none + disable-all: true + disable: + - errcheck enable: - staticcheck - govet - ineffassign - unparam - misspell - # If errcheck is enabled, exclude it for test files. - # But since it's disabled globally, this rule is harmless but potentially unused. - # The original config had it, so we keep it under the new location. - exclusions: - rules: - - path: .*_test\.go - linters: - - errcheck issues: + exclude-use-default: false max-issues-per-linter: 0 max-same-issues: 0 + exclude-rules: + - path: .*_test\.go + linters: + - errcheck diff --git a/Dockerfile b/Dockerfile index 920c220..b423373 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,9 +1,9 @@ # Stage 1: Frontend Build FROM node:20-slim AS frontend-builder WORKDIR /app/frontend -COPY frontend-vanilla/package*.json ./ +COPY frontend/package*.json ./ RUN npm install -COPY frontend-vanilla/ ./ +COPY frontend/ ./ RUN npm run build # Stage 2: Backend Build diff --git a/internal/crawler/security_test.go b/internal/crawler/security_test.go index 198f7ee..f4d7b67 100644 --- a/internal/crawler/security_test.go +++ b/internal/crawler/security_test.go @@ -9,11 +9,12 @@ import ( "adammathes.com/neko/internal/safehttp" ) -func init() { +func TestGetFeedContentLimit(t *testing.T) { + // Enable local connections for this test + originalAllowLocal := safehttp.AllowLocal safehttp.AllowLocal = true -} + defer func() { safehttp.AllowLocal = originalAllowLocal }() -func TestGetFeedContentLimit(t *testing.T) { // 10MB limit expected limit := 10 * 1024 * 1024 // 11MB payload diff --git a/models/item/item_bench_test.go b/models/item/item_bench_test.go index ba674c7..b904c32 100644 --- a/models/item/item_bench_test.go +++ b/models/item/item_bench_test.go @@ -200,10 +200,10 @@ func BenchmarkFilter_LargeDataset(b *testing.B) { if i > 0 { sb.WriteString(",") } - fmt.Fprintf(&sb, + sb.WriteString(fmt.Sprintf( "('Item %d', 'https://example.com/large/%d', '

Description %d

', datetime('now'), %d, 0, 0)", i, i, i, feedID, - ) + )) } _, err := models.DB.Exec( "INSERT INTO item(title, url, description, publish_date, feed_id, read_state, starred) VALUES " + sb.String(), -- cgit v1.2.3