Fix cross-tenant notification data leak via query parameter#114
Merged
Conversation
Add SIGINT/SIGTERM signal handling, context-based cancellation for background goroutines, and proper app.Shutdown() to all three Go services to prevent connection leaks on Kubernetes pod termination. - attendance-service: signal.Notify -> app.ShutdownWithContext - lms-service: signal.Notify -> app.ShutdownWithContext - notification-go-service: signal.Notify -> http.Server.Shutdown - All background goroutines accept context.Context for clean shutdown
Wrap RabbitMQ consumer setup in an infinite reconnection loop so that consumers automatically reconnect when the connection drops, instead of permanently terminating the goroutine. - attendance-service: consumeEmployeeDeletions now retries on disconnect - notification-go-service: setupRabbitMQConsumer now retries on disconnect - Exponential backoff from 1s to 30s max on each retry attempt
Limit total WebSocket connections (max 1000) and enforce per-IP rate limiting (max 10 per IP) to prevent resource exhaustion attacks. - maxClients = 1000 global limit checked before upgrade - maxConnsPerIP = 10 limit enforced per client IP address - canAcceptConnection/releaseConnection for tracking IP counts - Client struct extended with clientIP field for cleanup - Existing readPump cleanup extended to release IP count
Remove tenant_id query parameter that could bypass the X-Tenant-Id header set by auth middleware. Always use the header value and return 403 if missing.
Senthil455
commented
Jun 17, 2026
Senthil455
left a comment
Senthil455
left a comment
Owner
Author
There was a problem hiding this comment.
Removes the insecure query parameter fallback that allowed cross-tenant notification access. Simple, targeted fix for a clear security vulnerability.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remove the tenant_id query parameter that took precedence over the X-Tenant-Id header, allowing any authenticated user to read any tenant's notifications. Now always uses the header value and returns 403 if missing.