fix: clamp defaultTTL to 24h cap in parseCacheTTL

sangwa · claude · sangwa · commit 50b3025628ba · 2026-03-25T18:35:23.000-07:00
A configured http.cache.default_ttl &gt;24h would bypass the documented
24h cap because the default return path did not clamp the value.
Now parseCacheTTL clamps defaultTTL at entry so all return paths
(max-age, Expires, and default) respect the cap.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/internal/endorsements_test.go b/internal/endorsements_test.go
@@ -433,6 +433,13 @@ func TestParseCacheTTL(t *testing.T) {
 			}
 		})
 	}
+
+	t.Run("defaultTTL capped at 24h", func(t *testing.T) {
+		got := parseCacheTTL(http.Header{}, 48*time.Hour)
+		if got != 24*time.Hour {
+			t.Errorf("parseCacheTTL() with 48h default = %v, want %v", got, 24*time.Hour)
+		}
+	})
 }
 
 // --- parseByteSize ---
diff --git a/internal/fetch.go b/internal/fetch.go
@@ -122,6 +122,9 @@ func (s *Server) fetchHTTPClient() *http.Client {
 // Cache-Control for max-age and no-cache/no-store, falls back to the
 // Expires header, and defaults to defaultTTL. TTL is capped at 24 hours.
 func parseCacheTTL(header http.Header, defaultTTL time.Duration) time.Duration {
+	if defaultTTL > fetchMaxTTL {
+		defaultTTL = fetchMaxTTL
+	}
 	if cc := header.Get("Cache-Control"); cc != "" {
 		lower := strings.ToLower(cc)
 		if strings.Contains(lower, "no-cache") || strings.Contains(lower, "no-store") {

Original file line number	Diff line number	Diff line change
`@@ -433,6 +433,13 @@ func TestParseCacheTTL(t *testing.T) {`
`433`	`433`	`}`
`434`	`434`	`})`
`435`	`435`	`}`
	`436`	`+`
	`437`	`+ t.Run("defaultTTL capped at 24h", func(t *testing.T) {`
	`438`	`+ got := parseCacheTTL(http.Header{}, 48*time.Hour)`
	`439`	`+ if got != 24*time.Hour {`
	`440`	`+ t.Errorf("parseCacheTTL() with 48h default = %v, want %v", got, 24*time.Hour)`
	`441`	`+ }`
	`442`	`+ })`
`436`	`443`	`}`
`437`	`444`
`438`	`445`	`// --- parseByteSize ---`