Don't expose debug vars by default (fix: #799)

Signed-off-by: Maksym Pavlenko <[email protected]>

Author: mxpv

config.toml.example

@@ -21,8 +21,11 @@ path = "test"
 web_ui = true
 # Optional. If you want to use TLS you must set the TLS flag and path to the certificate file and private key file.
 tls = true
-certificate_path = "/var/www/cert.pem"  
+certificate_path = "/var/www/cert.pem"
 key_file_path = "/var/www/priv.pem"
+# Optional. Enable debug endpoints (/debug/vars) for runtime metrics. Disabled by default for security.
+# Only enable this if you need to debug the application and the endpoint is not publicly accessible.
+debug_endpoints = false
 
 # Configure where to store the episode data
 [storage]

services/web/server.go

@@ -2,6 +2,7 @@ package web
 
 import (
 	"encoding/json"
+	"expvar"
 	"fmt"
 	"net/http"
 	"time"
@@ -39,6 +40,8 @@ type Config struct {
 	DataDir string `toml:"data_dir"`
 	// WebUIEnabled is a flag indicating if web UI is enabled
 	WebUIEnabled bool `toml:"web_ui"`
+	// DebugEndpoints enables /debug/vars endpoint for runtime metrics (disabled by default)
+	DebugEndpoints bool `toml:"debug_endpoints"`
 }
 
 func New(cfg Config, storage http.FileSystem, database db.Storage) *Server {
@@ -59,13 +62,25 @@ func New(cfg Config, storage http.FileSystem, database db.Storage) *Server {
 	srv.Addr = fmt.Sprintf("%s:%d", bindAddress, port)
 	log.Debugf("using address: %s:%s", bindAddress, srv.Addr)
 
+	// Use a custom mux instead of http.DefaultServeMux to avoid exposing
+	// debug endpoints registered by imported packages (security fix for #799)
+	mux := http.NewServeMux()
+
 	fileServer := http.FileServer(storage)
 
 	log.Debugf("handle path: /%s", cfg.Path)
-	http.Handle(fmt.Sprintf("/%s", cfg.Path), fileServer)
+	mux.Handle(fmt.Sprintf("/%s", cfg.Path), fileServer)
 
 	// Add health check endpoint
-	http.HandleFunc("/health", srv.healthCheckHandler)
+	mux.HandleFunc("/health", srv.healthCheckHandler)
+
+	// Optionally enable debug endpoints (disabled by default for security)
+	if cfg.DebugEndpoints {
+		log.Info("debug endpoints enabled at /debug/vars")
+		mux.Handle("/debug/vars", expvar.Handler())
+	}
+
+	srv.Handler = mux
 
 	return &srv
 }

services/web/server_test.go

@@ -0,0 +1,56 @@
+package web
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+type mockFileSystem struct{}
+
+func (m *mockFileSystem) Open(name string) (http.File, error) {
+	return nil, http.ErrMissingFile
+}
+
+func TestDebugEndpointDisabledByDefault(t *testing.T) {
+	cfg := Config{
+		Port: 8080,
+		Path: "feeds",
+	}
+
+	srv := New(cfg, &mockFileSystem{}, nil)
+
+	req := httptest.NewRequest(http.MethodGet, "/debug/vars", nil)
+	rec := httptest.NewRecorder()
+
+	srv.Handler.ServeHTTP(rec, req)
+
+	// Should return 404 when debug endpoints are disabled
+	assert.Equal(t, http.StatusNotFound, rec.Code)
+	// Should NOT contain expvar data
+	assert.False(t, strings.Contains(rec.Body.String(), "cmdline"))
+}
+
+func TestDebugEndpointEnabledWhenConfigured(t *testing.T) {
+	cfg := Config{
+		Port:           8080,
+		Path:           "feeds",
+		DebugEndpoints: true,
+	}
+
+	srv := New(cfg, &mockFileSystem{}, nil)
+
+	req := httptest.NewRequest(http.MethodGet, "/debug/vars", nil)
+	rec := httptest.NewRecorder()
+
+	srv.Handler.ServeHTTP(rec, req)
+
+	// Should return 200 and JSON content when debug endpoints are enabled
+	assert.Equal(t, http.StatusOK, rec.Code)
+	assert.Contains(t, rec.Header().Get("Content-Type"), "application/json")
+	// Verify it contains expvar data (cmdline is always present)
+	assert.True(t, strings.Contains(rec.Body.String(), "cmdline"))
+}