mirror of https://github.com/usememos/memos.git
1a3298554b
This commit addresses all critical and high-priority recommendations from the security review: **Critical Fixes:** - Add nil checks before accessing memo properties in SetMemoAttachments and SetMemoRelations to prevent potential nil pointer dereference - Fix information disclosure in DeleteMemoReaction by returning consistent errors (now returns permission denied instead of not found to avoid revealing reaction existence) **Medium Priority Improvements:** - Add GetReaction() method to store interface for better performance (single reaction lookup instead of list operation) - Implement GetReaction() in all database drivers (SQLite, MySQL, PostgreSQL) - Update DeleteMemoReaction to use the new GetReaction() method **Test Coverage:** - Add comprehensive test coverage for SetMemoAttachments authorization checks - Add comprehensive test coverage for SetMemoRelations authorization checks - Add comprehensive test coverage for DeleteMemoReaction authorization checks - Add comprehensive test coverage for CreateUser registration enforcement All tests follow the same patterns as existing IDP service tests and cover: - Success cases for resource owners - Success cases for superuser/host users - Permission denied cases for non-owners - Unauthenticated access attempts - Not found scenarios Related to PR #5217 security review recommendations. |
||
|---|---|---|
| .. | ||
| idp_service_test.go | ||
| instance_service_test.go | ||
| memo_attachment_service_test.go | ||
| memo_relation_service_test.go | ||
| memo_service_test.go | ||
| reaction_service_test.go | ||
| shortcut_service_test.go | ||
| test_helper.go | ||
| user_service_registration_test.go | ||
| user_service_stats_test.go | ||