fix(sec): санитизация Telegram-ошибок, SSRF-guard Webhook, чистка логов test-канала, go mod tidy, histogram-бакеты
This commit is contained in:
@@ -4,6 +4,7 @@ import (
|
||||
"bytes"
|
||||
"context"
|
||||
"encoding/json"
|
||||
"errors"
|
||||
"fmt"
|
||||
"net/http"
|
||||
)
|
||||
@@ -35,7 +36,10 @@ func (t *Telegram) Send(ctx context.Context, cfg json.RawMessage, secret string,
|
||||
req.Header.Set("Content-Type", "application/json")
|
||||
resp, err := t.HTTP.Do(req)
|
||||
if err != nil {
|
||||
return err
|
||||
// Do NOT wrap/return err as-is: *url.Error.Error() embeds the full
|
||||
// request URL, which contains the bot token (/bot<secret>/...). A
|
||||
// caller logging this error would leak the secret.
|
||||
return errors.New("telegram: request failed")
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
if resp.StatusCode >= 300 {
|
||||
|
||||
Reference in New Issue
Block a user