check api for security vulnerabilities - Githubissues

vi-sense / vi-sense

vi-sense is a tool for visualizing 3d models together with IoT sensor data. This repo contains its backend written in go.

https://visense.f4.htw-berlin.de/

MIT License

49 stars 11 forks source link

check api for security vulnerabilities #85

Closed dephiloper closed 4 years ago

dephiloper commented 4 years ago

[x] sql injections
[x] CORS
[x] DDoS?
[x] research on other vulnerabilites

dephiloper commented 4 years ago

Even though it seems that gorm had some problems w/ SQL injections they are now fixed. But still, there are some other concerning issues: r/golang but these should not have an effect on our API

I added injection tests to both parameterized endpoints.

dephiloper commented 4 years ago

Modified cors settings to only allow http://localhost:8081 and https://visense.f4.htw-berlin.de

dephiloper commented 4 years ago

Implemented rate limit middleware using https://github.com/s12i/gin-throttle

dephiloper commented 4 years ago

https://nordicapis.com/5-common-api-vulnerabilities-and-how-to-fix-them/

[x] create a rate limit
[ ] implement pagination
- perhaps even the start_date - end_date req should have a size limit
[x] to prevent SQL injections to make use of parameterized statements