Security audit: fix critical vulnerabilities

- Fix parameter order bugs in repository.go (prevented data corruption)
- Fix path traversal in local.go with securePath validation
- Fix FFmpeg filter injection in afd_analyzer.go with proper escaping
- Fix SQL injection in quality_repository.go using parameterized query
- Fix CSRF timing attack in security.go with constant-time comparison
- Fix error message copy-paste bug in repository.go
- Update vulnerable dependencies (x/oauth2, x/crypto)

Author: alokemajumder

go.mod

@@ -23,7 +23,7 @@ require (
 	github.com/redis/go-redis/v9 v9.12.1
 	github.com/rs/zerolog v1.32.0
 	github.com/spf13/cobra v1.10.2
-	golang.org/x/crypto v0.44.0
+	golang.org/x/crypto v0.45.0
 	google.golang.org/api v0.177.0
 )
 
@@ -96,7 +96,7 @@ require (
 	go.uber.org/atomic v1.7.0 // indirect
 	golang.org/x/arch v0.8.0 // indirect
 	golang.org/x/net v0.47.0 // indirect
-	golang.org/x/oauth2 v0.19.0 // indirect
+	golang.org/x/oauth2 v0.33.0 // indirect
 	golang.org/x/sync v0.18.0 // indirect
 	golang.org/x/sys v0.38.0 // indirect
 	golang.org/x/text v0.31.0 // indirect

go.sum

@@ -272,8 +272,8 @@ golang.org/x/arch v0.8.0 h1:3wRIsP3pM4yUptoR96otTUOXI367OS0+c9eeRi9doIc=
 golang.org/x/arch v0.8.0/go.mod h1:FEVrYAQjsQXMVJ1nsMoVVXPZg6p2JE2mx8psSWTDQys=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.44.0 h1:A97SsFvM3AIwEEmTBiaxPPTYpDC47w720rdiiUvgoAU=
-golang.org/x/crypto v0.44.0/go.mod h1:013i+Nw79BMiQiMsOPcVCB5ZIJbYkerPrGnOa00tvmc=
+golang.org/x/crypto v0.45.0 h1:jMBrvKuj23MTlT0bQEOBcAE0mjg8mK9RXFhRH6nyF3Q=
+golang.org/x/crypto v0.45.0/go.mod h1:XTGrrkGJve7CYK7J8PEww4aY7gM3qMCElcJQ8n8JdX4=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -287,8 +287,8 @@ golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwY
 golang.org/x/net v0.47.0 h1:Mx+4dIFzqraBXUugkia1OOvlD6LemFo1ALMHjrXDOhY=
 golang.org/x/net v0.47.0/go.mod h1:/jNxtkgq5yWUGYkaZGqo27cfGZ1c5Nen03aYrrKpVRU=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.19.0 h1:9+E/EZBCbTLNrbN35fHv/a/d/mOBatymz1zbtQrXpIg=
-golang.org/x/oauth2 v0.19.0/go.mod h1:vYi7skDa1x015PmRRYZ7+s1cWyPgrPiSYRe4rnsexc8=
+golang.org/x/oauth2 v0.33.0 h1:4Q+qn+E5z8gPRJfmRy7C2gGG3T4jIprK6aSYgTXGRpo=
+golang.org/x/oauth2 v0.33.0/go.mod h1:lzm5WQJQwKZ3nwavOZ3IS5Aulzxi68dUSgRHujetwEA=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=

internal/database/quality_repository.go

@@ -794,21 +794,24 @@ func (r *qualityRepository) GetQualityStatistics(ctx context.Context, filters Qu
 
 // GetQualityTrends retrieves quality trends over time
 func (r *qualityRepository) GetQualityTrends(ctx context.Context, metricType quality.QualityMetricType, days int) ([]*QualityTrend, error) {
+	// Use parameterized query with SQLite-compatible date arithmetic
+	// The '-X days' modifier is passed as a parameter to prevent SQL injection
 	query := `
-		SELECT 
+		SELECT
 			DATE(created_at) as date,
 			AVG(overall_score) as average_score,
 			COUNT(*) as sample_count
 		FROM quality_metrics
-		WHERE metric_type = $1 
-		AND created_at >= CURRENT_DATE - INTERVAL '%d days'
+		WHERE metric_type = $1
+		AND created_at >= DATE('now', $2)
 		GROUP BY DATE(created_at)
 		ORDER BY date DESC`
 
-	query = fmt.Sprintf(query, days)
+	// Format the days parameter as SQLite modifier string (e.g., "-30 days")
+	daysModifier := fmt.Sprintf("-%d days", days)
 
 	var trends []*QualityTrend
-	err := r.db.SelectContext(ctx, &trends, query, metricType)
+	err := r.db.SelectContext(ctx, &trends, query, metricType, daysModifier)
 	if err != nil {
 		return nil, err
 	}

internal/database/repository.go

@@ -180,7 +180,7 @@ func (r *SQLiteRepository) UpdateAnalysisStatus(ctx context.Context, id uuid.UUI
 		SET status = ?, error_msg = ?, updated_at = ?
 		WHERE id = ?`
 
-	_, err := r.db.DB.ExecContext(ctx, query, id, status, errorMsg, time.Now())
+	_, err := r.db.DB.ExecContext(ctx, query, status, errorMsg, time.Now(), id)
 	if err != nil {
 		return fmt.Errorf("failed to update analysis status: %w", err)
 	}
@@ -195,7 +195,7 @@ func (r *SQLiteRepository) UpdateAnalysisLLMReport(ctx context.Context, id uuid.
 		SET llm_report = ?, updated_at = ?
 		WHERE id = ?`
 
-	_, err := r.db.DB.ExecContext(ctx, query, id, report, time.Now())
+	_, err := r.db.DB.ExecContext(ctx, query, report, time.Now(), id)
 	if err != nil {
 		return fmt.Errorf("failed to update analysis LLM report: %w", err)
 	}
@@ -801,7 +801,7 @@ func (r *SQLiteRepository) DeleteQualityComparison(ctx context.Context, id uuid.
 	}
 
 	if rowsAffected == 0 {
-		return fmt.Errorf("processing job not found")
+		return fmt.Errorf("quality comparison not found")
 	}
 
 	return nil
@@ -845,7 +845,7 @@ func (r *SQLiteRepository) UpdateProcessingJob(ctx context.Context, job *models.
 		WHERE id = ?`
 
 	_, err := r.db.DB.ExecContext(ctx, query,
-		job.ID, job.Status, job.StartedAt, job.CompletedAt, job.ErrorMsg, job.RetryCount)
+		job.Status, job.StartedAt, job.CompletedAt, job.ErrorMsg, job.RetryCount, job.ID)
 	return err
 }
 

internal/ffmpeg/afd_analyzer.go

@@ -306,16 +306,40 @@ func (aa *AFDAnalyzer) detectAFDFromVideoCharacteristics(ctx context.Context, fi
 	return nil
 }
 
+// escapeFFmpegFilterPath escapes a file path for use in FFmpeg filter expressions.
+// FFmpeg filter syntax requires special characters to be escaped.
+// See: https://ffmpeg.org/ffmpeg-filters.html#Notes-on-filtergraph-escaping
+func escapeFFmpegFilterPath(path string) string {
+	// Escape backslashes first (must be done before other escapes)
+	escaped := strings.ReplaceAll(path, `\`, `\\`)
+	// Escape single quotes
+	escaped = strings.ReplaceAll(escaped, `'`, `'\''`)
+	// Escape colons (used as option separator)
+	escaped = strings.ReplaceAll(escaped, `:`, `\:`)
+	// Escape commas (used as filter separator)
+	escaped = strings.ReplaceAll(escaped, `,`, `\,`)
+	// Escape brackets (used in filter chains)
+	escaped = strings.ReplaceAll(escaped, `[`, `\[`)
+	escaped = strings.ReplaceAll(escaped, `]`, `\]`)
+	// Escape semicolons (used as filterchain separator)
+	escaped = strings.ReplaceAll(escaped, `;`, `\;`)
+	// Wrap in single quotes for additional safety
+	return `'` + escaped + `'`
+}
+
 // detectLetterboxing analyzes frames to detect letterboxing/pillarboxing
 func (aa *AFDAnalyzer) detectLetterboxing(ctx context.Context, filePath string, analysis *AFDAnalysis) error {
+	// Escape the file path for FFmpeg filter expression to prevent injection
+	escapedPath := escapeFFmpegFilterPath(filePath)
+
 	// Use ffprobe with cropdetect filter to detect black bars
 	cmd := []string{
 		aa.ffprobePath,
 		"-v", "quiet",
 		"-print_format", "json",
 		"-show_entries", "frame_tags=lavfi.cropdetect.w,lavfi.cropdetect.h,lavfi.cropdetect.x,lavfi.cropdetect.y",
 		"-f", "lavfi",
-		"-i", fmt.Sprintf("movie=%s,cropdetect=24:16:0", filePath),
+		"-i", fmt.Sprintf("movie=%s,cropdetect=24:16:0", escapedPath),
 		"-frames:v", "10",
 	}
 

internal/middleware/security.go

@@ -2,6 +2,7 @@ package middleware
 
 import (
 	"crypto/rand"
+	"crypto/subtle"
 	"encoding/hex"
 	"fmt"
 	"net/http"
@@ -186,7 +187,9 @@ func (sm *SecurityMiddleware) CSRF() gin.HandlerFunc {
 		// Get expected token from session/context
 		expectedToken := c.GetString("csrf_token")
 
-		if token == "" || expectedToken == "" || token != expectedToken {
+		// Use constant-time comparison to prevent timing attacks
+		tokenMatch := subtle.ConstantTimeCompare([]byte(token), []byte(expectedToken)) == 1
+		if token == "" || expectedToken == "" || !tokenMatch {
 			sm.logger.Warn().
 				Str("path", c.Request.URL.Path).
 				Str("ip", c.ClientIP()).

internal/storage/local.go

@@ -6,6 +6,7 @@ import (
 	"io"
 	"os"
 	"path/filepath"
+	"strings"
 )
 
 type LocalProvider struct {
@@ -19,18 +20,62 @@ func NewLocalProvider(cfg Config) (*LocalProvider, error) {
 		basePath = "./storage"
 	}
 
-	if err := os.MkdirAll(basePath, 0755); err != nil {
+	// Get absolute path for base directory
+	absBasePath, err := filepath.Abs(basePath)
+	if err != nil {
+		return nil, fmt.Errorf("failed to resolve base path: %w", err)
+	}
+
+	if err := os.MkdirAll(absBasePath, 0755); err != nil {
 		return nil, fmt.Errorf("failed to create storage directory: %w", err)
 	}
 
 	return &LocalProvider{
-		basePath: basePath,
+		basePath: absBasePath,
 		baseURL:  cfg.BaseURL,
 	}, nil
 }
 
+// securePath validates and returns a safe file path within the base directory.
+// Returns an error if the path would escape the base directory.
+func (l *LocalProvider) securePath(key string) (string, error) {
+	// Clean the key to remove any .. or other traversal attempts
+	cleanKey := filepath.Clean(key)
+
+	// Join with base path
+	filePath := filepath.Join(l.basePath, cleanKey)
+
+	// Get absolute path to resolve any remaining traversal
+	absPath, err := filepath.Abs(filePath)
+	if err != nil {
+		return "", fmt.Errorf("failed to resolve path: %w", err)
+	}
+
+	// Verify the resolved path is within the base directory
+	// Use filepath.Clean on basePath to ensure consistent comparison
+	if !strings.HasPrefix(absPath, l.basePath+string(filepath.Separator)) && absPath != l.basePath {
+		return "", fmt.Errorf("path traversal detected: access denied")
+	}
+
+	// Check for symlinks that might escape the base directory
+	// Only check if the path exists (for read operations)
+	if _, err := os.Lstat(absPath); err == nil {
+		realPath, err := filepath.EvalSymlinks(absPath)
+		if err == nil {
+			if !strings.HasPrefix(realPath, l.basePath+string(filepath.Separator)) && realPath != l.basePath {
+				return "", fmt.Errorf("symlink escape detected: access denied")
+			}
+		}
+	}
+
+	return absPath, nil
+}
+
 func (l *LocalProvider) Upload(ctx context.Context, key string, reader io.Reader, size int64) error {
-	filePath := filepath.Join(l.basePath, key)
+	filePath, err := l.securePath(key)
+	if err != nil {
+		return err
+	}
 
 	if err := os.MkdirAll(filepath.Dir(filePath), 0755); err != nil {
 		return fmt.Errorf("failed to create directory: %w", err)
@@ -50,7 +95,11 @@ func (l *LocalProvider) Upload(ctx context.Context, key string, reader io.Reader
 }
 
 func (l *LocalProvider) Download(ctx context.Context, key string) (io.ReadCloser, error) {
-	filePath := filepath.Join(l.basePath, key)
+	filePath, err := l.securePath(key)
+	if err != nil {
+		return nil, err
+	}
+
 	file, err := os.Open(filePath)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open file: %w", err)
@@ -59,16 +108,24 @@ func (l *LocalProvider) Download(ctx context.Context, key string) (io.ReadCloser
 }
 
 func (l *LocalProvider) Delete(ctx context.Context, key string) error {
-	filePath := filepath.Join(l.basePath, key)
+	filePath, err := l.securePath(key)
+	if err != nil {
+		return err
+	}
+
 	if err := os.Remove(filePath); err != nil {
 		return fmt.Errorf("failed to delete file: %w", err)
 	}
 	return nil
 }
 
 func (l *LocalProvider) Exists(ctx context.Context, key string) (bool, error) {
-	filePath := filepath.Join(l.basePath, key)
-	_, err := os.Stat(filePath)
+	filePath, err := l.securePath(key)
+	if err != nil {
+		return false, err
+	}
+
+	_, err = os.Stat(filePath)
 	if err != nil {
 		if os.IsNotExist(err) {
 			return false, nil
@@ -80,9 +137,16 @@ func (l *LocalProvider) Exists(ctx context.Context, key string) (bool, error) {
 
 func (l *LocalProvider) GetURL(ctx context.Context, key string) (string, error) {
 	if l.baseURL != "" {
-		return fmt.Sprintf("%s/%s", l.baseURL, key), nil
+		// Sanitize key for URL to prevent injection
+		cleanKey := filepath.Clean(key)
+		return fmt.Sprintf("%s/%s", l.baseURL, cleanKey), nil
+	}
+
+	filePath, err := l.securePath(key)
+	if err != nil {
+		return "", err
 	}
-	return fmt.Sprintf("file://%s", filepath.Join(l.basePath, key)), nil
+	return fmt.Sprintf("file://%s", filePath), nil
 }
 
 func (l *LocalProvider) GetSignedURL(ctx context.Context, key string, expiration int64) (string, error) {