- commit
- d634672
- parent
- 83a5183
- author
- Eric Bower
- date
- 2026-05-05 21:05:27 -0400 EDT
fix(auth): mime type can include charset e.g. text/html; charset=utf-8
3 files changed,
+16,
-7
M
go.mod
+1,
-1
1@@ -50,7 +50,7 @@ require (
2 github.com/simplesurance/go-ip-anonymizer v0.0.0-20200429124537-35a880f8e87d
3 github.com/testcontainers/testcontainers-go v0.40.0
4 github.com/testcontainers/testcontainers-go/modules/postgres v0.40.0
5- github.com/x-way/crawlerdetect v0.2.30
6+ github.com/x-way/crawlerdetect v0.2.31-0.20260212224137-1c21876d88a2
7 github.com/yuin/goldmark v1.8.2
8 github.com/yuin/goldmark-highlighting/v2 v2.0.0-20230729083705-37449abec8cc
9 github.com/yuin/goldmark-meta v1.1.0
M
go.sum
+2,
-2
1@@ -328,8 +328,8 @@ github.com/tklauser/go-sysconf v0.3.15 h1:VE89k0criAymJ/Os65CSn1IXaol+1wrsFHEB8O
2 github.com/tklauser/go-sysconf v0.3.15/go.mod h1:Dmjwr6tYFIseJw7a3dRLJfsHAMXZ3nEnL/aZY+0IuI4=
3 github.com/tklauser/numcpus v0.10.0 h1:18njr6LDBk1zuna922MgdjQuJFjrdppsZG60sHGfjso=
4 github.com/tklauser/numcpus v0.10.0/go.mod h1:BiTKazU708GQTYF4mB+cmlpT2Is1gLk7XVuEeem8LsQ=
5-github.com/x-way/crawlerdetect v0.2.30 h1:U43R8+TZ7AZwBZehWRPdRdW53NmPoVZSOptevJKo1mE=
6-github.com/x-way/crawlerdetect v0.2.30/go.mod h1:BPHLsB3FOuiwoWyhAvnqeiUSAEKd34O7BcsTCcxHRj4=
7+github.com/x-way/crawlerdetect v0.2.31-0.20260212224137-1c21876d88a2 h1:ssAyb7n/6TPLWUVuVbGfzky4/ECJuIGmktDBawNZPv8=
8+github.com/x-way/crawlerdetect v0.2.31-0.20260212224137-1c21876d88a2/go.mod h1:BPHLsB3FOuiwoWyhAvnqeiUSAEKd34O7BcsTCcxHRj4=
9 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
10 github.com/yuin/goldmark v1.4.15/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
11 github.com/yuin/goldmark v1.8.2 h1:kEGpgqJXdgbkhcOgBxkC0X0PmoPG1ZyoZ117rDVp4zE=
+13,
-4
1@@ -682,6 +682,11 @@ func deserializeCaddyAccessLog(dbpool db.DB, access *AccessLog) (*db.AnalyticsVi
2 subdomain = router.GetCustomDomain(host, space)
3 }
4
5+ // skip requests to the base domain itself (e.g. prose.sh, tuns.sh, pgs.sh)
6+ if subdomain == "" {
7+ return nil, fmt.Errorf("request to base domain %s", host)
8+ }
9+
10 subdomain = strings.TrimSuffix(subdomain, ".nue")
11 subdomain = strings.TrimSuffix(subdomain, ".ash")
12
13@@ -747,10 +752,17 @@ func accessLogToVisit(dbpool db.DB, line string) (*db.AnalyticsVisits, error) {
14 return nil, fmt.Errorf("could not unmarshal line: %w", err)
15 }
16
17+ contentType := strings.Join(accessLog.RespHeaders.ContentType, " ")
18+ baseMimeType := strings.TrimSpace(strings.SplitN(contentType, ";", 2)[0])
19+ if !slices.Contains(allowedMime, baseMimeType) {
20+ return nil, fmt.Errorf("content type %q not allowed", baseMimeType)
21+ }
22+
23 return deserializeCaddyAccessLog(dbpool, &accessLog)
24 }
25
26 var allowedMime = []string{
27+ "application/atom+xml",
28 "application/gzip",
29 "application/vnd.rar",
30 "application/x-7z-compressed",
31@@ -758,6 +770,7 @@ var allowedMime = []string{
32 "application/x-bzip2",
33 "application/x-freearc",
34 "application/x-tar",
35+ "application/xml",
36 "application/zip",
37 "text/html",
38 }
39@@ -791,10 +804,6 @@ func metricDrainSub(ctx context.Context, dbpool db.DB, logger *slog.Logger, secr
40 continue
41 }
42
43- if !slices.Contains(allowedMime, visit.ContentType) {
44- continue
45- }
46-
47 logger.Info("inserting visit", "visit", visit)
48 err = dbpool.InsertVisit(visit)
49 if err != nil {