mirror of
https://github.com/NoFxAiOS/nofx.git
synced 2026-07-15 00:36:56 +08:00
security: add safe.ReadAllLimited — bound all HTTP response body reads to 10MB
- Created safe/io.go with ReadAllLimited helper (default 10MB limit) - Replaced 62 unbounded io.ReadAll(resp.Body) calls across 32 files - Covers all exchange traders (Hyperliquid, Bybit, Binance, OKX, Aster, KuCoin, Gate, Bitget, Lighter, Indodax), providers (CoinAnk, Alpaca, TwelveData), MCP client/x402, market data, wallet, telegram, kernel - Prevents OOM from malicious/buggy exchange API responses - Previously fixed: brain.go, sentinel.go already had manual LimitReader
This commit is contained in:
@@ -52,6 +52,7 @@
|
||||
|
||||
### Code Quality
|
||||
- [DONE] Extract WelcomeScreen, ChatMessages, ChatInput from AgentChatPage (825→480 lines)
|
||||
- [DONE] Sanitize 3 more error message leaks in API responses (handler_trader.go ×2, handler_ai_cost.go ×1)
|
||||
- [PENDING] `context.Background()` used in ~69 exchange/trader calls — should propagate request context for proper cancellation (partially done: kline handlers fixed, trader/exchange calls remain)
|
||||
|
||||
### Performance
|
||||
|
||||
Reference in New Issue
Block a user