mirror of https://github.com/usememos/memos.git
1a3298554b
This commit addresses all critical and high-priority recommendations from the security review: **Critical Fixes:** - Add nil checks before accessing memo properties in SetMemoAttachments and SetMemoRelations to prevent potential nil pointer dereference - Fix information disclosure in DeleteMemoReaction by returning consistent errors (now returns permission denied instead of not found to avoid revealing reaction existence) **Medium Priority Improvements:** - Add GetReaction() method to store interface for better performance (single reaction lookup instead of list operation) - Implement GetReaction() in all database drivers (SQLite, MySQL, PostgreSQL) - Update DeleteMemoReaction to use the new GetReaction() method **Test Coverage:** - Add comprehensive test coverage for SetMemoAttachments authorization checks - Add comprehensive test coverage for SetMemoRelations authorization checks - Add comprehensive test coverage for DeleteMemoReaction authorization checks - Add comprehensive test coverage for CreateUser registration enforcement All tests follow the same patterns as existing IDP service tests and cover: - Success cases for resource owners - Success cases for superuser/host users - Permission denied cases for non-owners - Unauthenticated access attempts - Not found scenarios Related to PR #5217 security review recommendations. |
||
|---|---|---|
| .. | ||
| activity.go | ||
| attachment.go | ||
| common.go | ||
| idp.go | ||
| inbox.go | ||
| instance_setting.go | ||
| memo.go | ||
| memo_filter_test.go | ||
| memo_relation.go | ||
| migration_history.go | ||
| postgres.go | ||
| reaction.go | ||
| user.go | ||
| user_setting.go | ||