fix(sec): санитизация Telegram-ошибок, SSRF-guard Webhook, чистка логов test-канала, go mod tidy, histogram-бакеты

This commit is contained in:
2026-07-04 13:40:29 +07:00
parent 5a2903ca1e
commit 29f448d4b5
8 changed files with 197 additions and 6 deletions
+5 -1
View File
@@ -4,6 +4,7 @@ import (
"bytes"
"context"
"encoding/json"
"errors"
"fmt"
"net/http"
)
@@ -35,7 +36,10 @@ func (t *Telegram) Send(ctx context.Context, cfg json.RawMessage, secret string,
req.Header.Set("Content-Type", "application/json")
resp, err := t.HTTP.Do(req)
if err != nil {
return err
// Do NOT wrap/return err as-is: *url.Error.Error() embeds the full
// request URL, which contains the bot token (/bot<secret>/...). A
// caller logging this error would leak the secret.
return errors.New("telegram: request failed")
}
defer resp.Body.Close()
if resp.StatusCode >= 300 {