diff options
author | terminaldweller <thabogre@gmail.com> | 2022-03-28 18:56:01 +0000 |
---|---|---|
committer | terminaldweller <thabogre@gmail.com> | 2022-03-28 18:56:01 +0000 |
commit | e24a591310bba9cb94b2ebdd1e41c184131ae1a8 (patch) | |
tree | 86552f7e2d9ad06dec69e71925731f5f7ed72aa7 | |
parent | half-updateds the readme (diff) | |
download | hived-e24a591310bba9cb94b2ebdd1e41c184131ae1a8.tar.gz hived-e24a591310bba9cb94b2ebdd1e41c184131ae1a8.zip |
added some security headers
-rw-r--r-- | hived/Dockerfile | 1 | ||||
-rw-r--r-- | hived/go.mod | 16 | ||||
-rw-r--r-- | hived/go.sum | 9 | ||||
-rw-r--r-- | hived/hived.go | 54 | ||||
-rw-r--r-- | telebot/Dockerfile | 1 | ||||
-rw-r--r-- | telebot/go.sum | 1 | ||||
-rwxr-xr-x | test/endpoints.sh | 11 |
7 files changed, 37 insertions, 56 deletions
diff --git a/hived/Dockerfile b/hived/Dockerfile index da91fb7..138e02c 100644 --- a/hived/Dockerfile +++ b/hived/Dockerfile @@ -1,6 +1,7 @@ FROM alpine:3.13 as builder RUN apk update && apk upgrade RUN apk add go git +ENV GOPROXY=https://goproxy.io COPY go.* /hived/ RUN cd /hived && go mod download COPY *.go /hived/ diff --git a/hived/go.mod b/hived/go.mod index f2c87cc..126eedc 100644 --- a/hived/go.mod +++ b/hived/go.mod @@ -5,10 +5,22 @@ go 1.17 require ( github.com/Knetic/govaluate v3.0.0+incompatible github.com/go-redis/redis/v8 v8.6.0 - github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible github.com/gorilla/mux v1.8.0 github.com/rs/zerolog v1.20.0 - github.com/technoweenie/multipartstreamer v1.0.1 // indirect github.com/terminaldweller/grpc v1.0.3 google.golang.org/grpc v1.42.0 ) + +require ( + github.com/cespare/xxhash/v2 v2.1.1 // indirect + github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect + github.com/golang/protobuf v1.5.2 // indirect + go.opentelemetry.io/otel v0.17.0 // indirect + go.opentelemetry.io/otel/metric v0.17.0 // indirect + go.opentelemetry.io/otel/trace v0.17.0 // indirect + golang.org/x/net v0.0.0-20201202161906-c7110b5ffcbb // indirect + golang.org/x/sys v0.0.0-20210112080510-489259a85091 // indirect + golang.org/x/text v0.3.3 // indirect + google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 // indirect + google.golang.org/protobuf v1.27.1 // indirect +) diff --git a/hived/go.sum b/hived/go.sum index b303f1e..e4621e0 100644 --- a/hived/go.sum +++ b/hived/go.sum @@ -31,8 +31,6 @@ github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/go-redis/redis/v8 v8.6.0 h1:swqbqOrxaPztsj2Hf1p94M3YAgl7hYEpcw21z299hh8= github.com/go-redis/redis/v8 v8.6.0/go.mod h1:DQ9q4Rk2HtwkrwVrdgmphoOQDMfpvcd/nHEwRsicg8s= -github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible h1:2cauKuaELYAEARXRkq2LrJ0yDDv1rW7+wrTEdVL3uaU= -github.com/go-telegram-bot-api/telegram-bot-api v4.6.4+incompatible/go.mod h1:qf9acutJ8cwBUhm1bqgz6Bei9/C/c93FPDljKWwsOgM= github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q= github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A= github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U= @@ -44,7 +42,6 @@ github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrU github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w= github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0= github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8= -github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0= github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI= github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk= @@ -55,8 +52,8 @@ github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMyw github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= +github.com/google/go-cmp v0.5.5 h1:Khx7svrCpmxxtHBq5j2mp/xVjsi8hQMfNLvJFAlrGgU= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/mux v1.8.0 h1:i40aqfkR1h2SlN9hojwV5ZA91wcXFOvkdNIeFDP5koI= @@ -85,8 +82,6 @@ github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+ github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= -github.com/technoweenie/multipartstreamer v1.0.1 h1:XRztA5MXiR1TIRHxH2uNxXxaIkKQDeX7m2XsSOlQEnM= -github.com/technoweenie/multipartstreamer v1.0.1/go.mod h1:jNVxdtShOxzAsukZwTSw6MDx5eUJoiEBsSvzDU9uzog= github.com/terminaldweller/grpc v1.0.3 h1:yCRm0HKRD4M87CBmmO5KjkSFRq4X2lzHLJRH1ApzeiE= github.com/terminaldweller/grpc v1.0.3/go.mod h1:pYpuXZw8rHZwTABVEVZEfErFr+PyEhAaSrFm7y1yvTo= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= @@ -175,7 +170,6 @@ google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQ google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE= google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo= google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= -google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM= google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= @@ -183,7 +177,6 @@ google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp0 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/fsnotify.v1 v1.4.7/go.mod h1:Tz8NjZHkW78fSQdbUxIjBTcgA1z1m8ZHf0WmKUhAMys= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= diff --git a/hived/hived.go b/hived/hived.go index d00f58d..173e6c8 100644 --- a/hived/hived.go +++ b/hived/hived.go @@ -48,6 +48,16 @@ const ( SERVER_DEPLOYMENT_TYPE = "SERVER_DEPLOYMENT_TYPE" ) +// OWASP: https://cheatsheetseries.owasp.org/cheatsheets/REST_Security_Cheat_Sheet.html +func addSecureHeaders(w *http.ResponseWriter) { + (*w).Header().Set("Cache-Control", "no-store") + (*w).Header().Set("Content-Security-Policy", "default-src https;") + (*w).Header().Set("Strict-Transport-Security", "max-age=63072000;") + (*w).Header().Set("X-Content-Type-Options", "nosniff") + (*w).Header().Set("X-Frame-Options", "DENY") + (*w).Header().Set("Access-Control-Allow-Methods", "GET,POST,PUT,DELETE,OPTIONS") +} + func sendToTg(address, msg string, channelId int64) { conn, err := grpc.Dial(address, grpc.WithInsecure()) if err != nil { @@ -68,37 +78,6 @@ func sendToTg(address, msg string, channelId int64) { log.Info().Msg(fmt.Sprintf("%v", r)) } -// func runTgBot() { -// // bot := getTgBot() -// token := os.Getenv(TELEGRAM_BOT_TOKEN_ENV_VAR) -// bot, err := tgbotapi.NewBotAPI(token[1 : len(token)-1]) -// if err != nil { -// log.Error().Err(err) -// } -// log.Debug().Msg("authorized on account bot_bloodstalker") - -// update := tgbotapi.NewUpdate(0) -// update.Timeout = 60 - -// updates, err := bot.GetUpdatesChan(update) -// if err != nil { -// log.Error().Err(err) -// } - -// for update := range updates { -// if update.Message == nil { -// continue -// } - -// log.Printf("[%s] %s", update.Message.From.UserName, update.Message.Text) - -// msg := tgbotapi.NewMessage(update.Message.Chat.ID, update.Message.Text) -// msg.ReplyToMessageID = update.Message.MessageID - -// bot.Send(msg) -// } -// } - type priceChanStruct struct { name string price float64 @@ -153,6 +132,7 @@ func priceHandler(w http.ResponseWriter, r *http.Request) { if r.Method != "GET" { http.Error(w, "Method is not supported.", http.StatusNotFound) } + addSecureHeaders(&w) var name string var unit string @@ -216,6 +196,7 @@ func pairHandler(w http.ResponseWriter, r *http.Request) { if r.Method != "GET" { http.Error(w, "Method is not supported.", http.StatusNotFound) } + addSecureHeaders(&w) var one string var two string @@ -374,13 +355,7 @@ func alertManager() { resultBool = result.(bool) if resultBool == true { token := os.Getenv(TELEGRAM_BOT_TOKEN_ENV_VAR) - // bot, err := tgbotapi.NewBotAPI(token[1 : len(token)-1]) - // if err != nil { - // log.Error().Err(err) - // } msgText := "notification " + alerts.Alerts[i].Expr + " has been triggered" - // msg := tgbotapi.NewMessage(*botChannelID, msgText) - // bot.Send(msg) tokenInt, err := strconv.ParseInt(token[1:len(token)-1], 10, 64) if err != nil { log.Fatal().Err(err) @@ -506,6 +481,7 @@ func handleAlertGet(w http.ResponseWriter, r *http.Request) { } func alertHandler(w http.ResponseWriter, r *http.Request) { + addSecureHeaders(&w) if r.Method == "POST" || r.Method == "PUT" || r.Method == "PATCH" { handleAlertPost(w, r) } else if r.Method == "DELETE" { @@ -519,6 +495,7 @@ func alertHandler(w http.ResponseWriter, r *http.Request) { func exHandler(w http.ResponseWriter, r *http.Request) { w.Header().Add("Content-Type", "application/json") + addSecureHeaders(&w) if r.Method != "GET" { http.Error(w, "Method is not supported.", http.StatusNotFound) } @@ -586,6 +563,7 @@ func healthHandler(w http.ResponseWriter, r *http.Request) { IsHivedOk := true var IsRedisOk bool + addSecureHeaders(&w) w.Header().Add("Content-Type", "application/json") if r.Method != "GET" { http.Error(w, "Method is not supported.", http.StatusNotFound) @@ -620,6 +598,7 @@ func healthHandler(w http.ResponseWriter, r *http.Request) { func robotsHandler(w http.ResponseWriter, r *http.Request) { w.Header().Add("Content-Type", "text/plain") + addSecureHeaders(&w) json.NewEncoder(w).Encode(struct { UserAgents string `json:"User-Agents"` Disallow string `json:"Disallow"` @@ -696,7 +675,6 @@ func main() { defer rdb.Close() setupLogging() - // go runTgBot() go alertManager() startServer(gracefulWait) } diff --git a/telebot/Dockerfile b/telebot/Dockerfile index 8259880..134d6a5 100644 --- a/telebot/Dockerfile +++ b/telebot/Dockerfile @@ -1,6 +1,7 @@ FROM alpine:3.13 as builder RUN apk update && apk upgrade RUN apk add go git +ENV GOPROXY=https://goproxy.io COPY go.* /telebot/ RUN cd /telebot && go mod download COPY *.go /telebot/ diff --git a/telebot/go.sum b/telebot/go.sum index 5b1e0a1..ba1d9b7 100644 --- a/telebot/go.sum +++ b/telebot/go.sum @@ -138,7 +138,6 @@ google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2 google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU= google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= -google.golang.org/protobuf v1.26.0 h1:bxAC2xTBsZGibn2RTntX0oH50xLsqy1OxA9tTL3p/lk= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= google.golang.org/protobuf v1.27.1 h1:SnqbnDw1V7RiZcXPx5MEeqPv2s79L9i7BJUlG/+RurQ= google.golang.org/protobuf v1.27.1/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= diff --git a/test/endpoints.sh b/test/endpoints.sh index 11282bb..6263136 100755 --- a/test/endpoints.sh +++ b/test/endpoints.sh @@ -2,10 +2,7 @@ set -e set -x -sleep 5 -curl -X GET http://localhost:8008/price?name=CAKE&unit=USD -curl -X GET http://localhost:8008/pair?one=ETH&two=CAKE&multiplier=4.0 -curl -X POST -H "Content-Type: application/json" -d '{"name":"alert1", "expr":"ETH>CAKE"}' http://localhost:8008/alert -# curl -X GET http://127.0.0.1:8008/price?name=CAKE&unit=USD -# curl -X GET http://127.0.0.1:8008/pair?one=ETH&two=CAKE&multiplier=4.0 -# curl -X POST -H "Content-Type: application/json" -d '{"name":"alert1", "expr":"ETH>CAKE"}' http://127.0.0.1:8008/alert +# sleep 5 +curl -k -X GET https://localhost:8008/crypto/price?name=CAKE&unit=USD +curl -k -X GET https://localhost:8008/crypto/pair?one=ETH&two=CAKE&multiplier=4.0 +curl -k -X POST -H "Content-Type: application/json" -d '{"name":"alert1", "expr":"ETH>CAKE"}' https://localhost:8008/crypto/alert |