Skip to content

v1.1.1 - Security Hardening

Choose a tag to compare

View all tags
@felixgeelhaar felixgeelhaar released this 08 Dec 21:32
· 93 commits to main since this release
v1.1.1
This tag was signed with the committer’s verified signature.
felixgeelhaar Felix Geelhaar
GPG key ID: 299BB654DA4CFDE6
Verified
Learn about vigilant mode.
f21228b
This commit was signed with the committer’s verified signature.
felixgeelhaar Felix Geelhaar
GPG key ID: 299BB654DA4CFDE6
Verified
Learn about vigilant mode.

Security Fixes

This release adds comprehensive security hardening for rate limiting with fixes for several bypass vulnerabilities.

Fixed Vulnerabilities

Severity Issue Description
HIGH IPv6 Zone Bypass KeyFromIP now strips zone identifiers to prevent bypass via fe80::1%eth0 vs fe80::1%eth1
MEDIUM Unicode Bypass SanitizeKey now uses NFC normalization to prevent equivalent-string bypass
MEDIUM UTF-8 Truncation Fixed rune-based truncation to avoid splitting multi-byte characters
LOW Log Injection Added sanitizeLogKey to remove control characters from log output

New Features

  • SanitizeKey() helper function with Unicode NFC normalization
  • KeyFromHeaderWithMaxLen() for custom max key lengths
  • RFC 7230 header name validation in KeyFromHeader() (fail-fast panics)
  • SECURITY.md with vulnerability reporting process

Test Coverage

  • 30+ new security test cases covering:
    • IPv6 zone identifier stripping (8 cases)
    • Unicode normalization (3 cases)
    • Header validation (7 cases)
    • Log injection prevention (12 cases)

Dependencies

  • Upgraded golang.org/x/text v0.28.0 → v0.32.0 for Unicode normalization

Security Score

Multi-agent review scores:

  • Security Audit: 88/100 (up from 82)
  • Code Review: 8.5/10
  • Architecture: A-
  • Test Coverage: 89.7%

Upgrade

go get github.com/felixgeelhaar/fortify@v1.1.1

See SECURITY.md for vulnerability reporting.

Assets 2
Loading