bretton.dev / coves
A community based topic aggregation platform built on atproto
fork atom

fix(phase2c): add input validation and security hardening for PR review

Addresses critical P0 PR review issues for Phase 2C metadata hydration:

Input Validation (user_repo.go):
- Add MaxBatchSize constant (1000 DIDs) to prevent excessive queries
- Validate batch size before database operations
- Validate DID format (must start with "did:")
- Prevents SQL injection and malformed queries

Security Hardening (comment_service.go):
- Add HTTPS validation for community avatar URLs
- Validate CID format (must start with "baf" for IPFS CIDv1)
- Add URL escaping with url.QueryEscape() for DID and CID parameters
- Import "net/url" for proper URL handling
- Prevents mixed content warnings, MitM attacks, and injection attacks

API Documentation (interfaces.go):
- Add comprehensive godoc for GetByDIDs method
- Document parameters, return values, and behavior
- Include usage examples for developers

All changes maintain backward compatibility while adding critical
security and validation layers.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

bretton.dev 9f6c0889 e619cbd8

options
unified split
Changed files
+50 -5
internal
core
comments
comment_service.go
users
interfaces.go
db
postgres
user_repo.go
+15 -5
internal/core/comments/comment_service.go 
···

       
6

       
6

       
 

       
	"errors"


     

       
7

       
7

       
 

       
	"fmt"


     

       
8

       
8

       
 

       
	"log"


     

       

       
9

       
+

       
	"net/url"


     

       
9

       
10

       
 

       
	"strings"


     

       
10

       
11

       
 

       
	"time"


     

       
11

       
12

       
 

       



     
···

       
475

       
476

       
 

       
		// Avatar is stored as blob in community's repository


     

       
476

       
477

       
 

       
		// Format: https://{pds}/xrpc/com.atproto.sync.getBlob?did={community_did}&cid={avatar_cid}


     

       
477

       
478

       
 

       
		if community.AvatarCID != "" && community.PDSURL != "" {


     

       
478

       

       
-

       
			avatarURLString := fmt.Sprintf("%s/xrpc/com.atproto.sync.getBlob?did=%s&cid=%s",


     

       
479

       

       
-

       
				strings.TrimSuffix(community.PDSURL, "/"),


     

       
480

       

       
-

       
				community.DID,


     

       
481

       

       
-

       
				community.AvatarCID)


     

       
482

       

       
-

       
			avatarURL = &avatarURLString


     

       

       
479

       
+

       
			// Validate HTTPS for security (prevent mixed content warnings, MitM attacks)


     

       

       
480

       
+

       
			if !strings.HasPrefix(community.PDSURL, "https://") {


     

       

       
481

       
+

       
				log.Printf("Warning: Skipping non-HTTPS PDS URL for community %s", community.DID)


     

       

       
482

       
+

       
			} else if !strings.HasPrefix(community.AvatarCID, "baf") {


     

       

       
483

       
+

       
				// Validate CID format (IPFS CIDs start with "baf" for CIDv1 base32)


     

       

       
484

       
+

       
				log.Printf("Warning: Invalid CID format for community %s", community.DID)


     

       

       
485

       
+

       
			} else {


     

       

       
486

       
+

       
				// Use proper URL escaping to prevent injection attacks


     

       

       
487

       
+

       
				avatarURLString := fmt.Sprintf("%s/xrpc/com.atproto.sync.getBlob?did=%s&cid=%s",


     

       

       
488

       
+

       
					strings.TrimSuffix(community.PDSURL, "/"),


     

       

       
489

       
+

       
					url.QueryEscape(community.DID),


     

       

       
490

       
+

       
					url.QueryEscape(community.AvatarCID))


     

       

       
491

       
+

       
				avatarURL = &avatarURLString


     

       

       
492

       
+

       
			}


     

       
483

       
493

       
 

       
		}


     

       
484

       
494

       
 

       
	} else {


     

       
485

       
495

       
 

       
		// Log warning but don't fail the entire request
+20
internal/core/users/interfaces.go 
···

       
8

       
8

       
 

       
	GetByDID(ctx context.Context, did string) (*User, error)


     

       
9

       
9

       
 

       
	GetByHandle(ctx context.Context, handle string) (*User, error)


     

       
10

       
10

       
 

       
	UpdateHandle(ctx context.Context, did, newHandle string) (*User, error)


     

       

       
11

       
+

       



     

       

       
12

       
+

       
	// GetByDIDs retrieves multiple users by their DIDs in a single batch query.


     

       

       
13

       
+

       
	// Returns a map of DID → User for efficient lookups.


     

       

       
14

       
+

       
	// Missing users are not included in the result map (no error for missing users).


     

       

       
15

       
+

       
	// Returns error only on database failures or validation errors (invalid DIDs, batch too large).


     

       

       
16

       
+

       
	//


     

       

       
17

       
+

       
	// Parameters:


     

       

       
18

       
+

       
	//   - ctx: Context for cancellation and timeout


     

       

       
19

       
+

       
	//   - dids: Array of DIDs to retrieve (must start with "did:", max 1000 items)


     

       

       
20

       
+

       
	//


     

       

       
21

       
+

       
	// Returns:


     

       

       
22

       
+

       
	//   - map[string]*User: Map of DID → User for found users


     

       

       
23

       
+

       
	//   - error: Validation or database errors (not errors for missing users)


     

       

       
24

       
+

       
	//


     

       

       
25

       
+

       
	// Example:


     

       

       
26

       
+

       
	//   userMap, err := repo.GetByDIDs(ctx, []string{"did:plc:abc", "did:plc:xyz"})


     

       

       
27

       
+

       
	//   if err != nil { return err }


     

       

       
28

       
+

       
	//   if user, found := userMap["did:plc:abc"]; found {


     

       

       
29

       
+

       
	//       // Use user


     

       

       
30

       
+

       
	//   }


     

       
11

       
31

       
 

       
	GetByDIDs(ctx context.Context, dids []string) (map[string]*User, error)


     

       
12

       
32

       
 

       
}


     

       
13

       
33
+15
internal/db/postgres/user_repo.go 
···

       
106

       
106

       
 

       
	return user, nil


     

       
107

       
107

       
 

       
}


     

       
108

       
108

       
 

       



     

       

       
109

       
+

       
const MaxBatchSize = 1000


     

       

       
110

       
+

       



     

       
109

       
111

       
 

       
// GetByDIDs retrieves multiple users by their DIDs in a single query


     

       
110

       
112

       
 

       
// Returns a map of DID -> User for efficient lookups


     

       
111

       
113

       
 

       
// Missing users are not included in the result map (no error for missing users)


     

       
112

       
114

       
 

       
func (r *postgresUserRepo) GetByDIDs(ctx context.Context, dids []string) (map[string]*users.User, error) {


     

       
113

       
115

       
 

       
	if len(dids) == 0 {


     

       
114

       
116

       
 

       
		return make(map[string]*users.User), nil


     

       

       
117

       
+

       
	}


     

       

       
118

       
+

       



     

       

       
119

       
+

       
	// Validate batch size to prevent excessive memory usage and query timeouts


     

       

       
120

       
+

       
	if len(dids) > MaxBatchSize {


     

       

       
121

       
+

       
		return nil, fmt.Errorf("batch size %d exceeds maximum %d", len(dids), MaxBatchSize)


     

       

       
122

       
+

       
	}


     

       

       
123

       
+

       



     

       

       
124

       
+

       
	// Validate DID format to prevent SQL injection and malformed queries


     

       

       
125

       
+

       
	// All atProto DIDs must start with "did:" prefix


     

       

       
126

       
+

       
	for _, did := range dids {


     

       

       
127

       
+

       
		if !strings.HasPrefix(did, "did:") {


     

       

       
128

       
+

       
			return nil, fmt.Errorf("invalid DID format: %s", did)


     

       

       
129

       
+

       
		}


     

       
115

       
130

       
 

       
	}


     

       
116

       
131

       
 

       



     

       
117

       
132

       
 

       
	// Build parameterized query with IN clause