oadmin/sub2api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(安全): 关闭白名单时保留最小校验与默认白名单

Browse Source 
实现 allow_insecure_http 并在关闭校验时执行最小格式验证
- 关闭 allowlist 时要求 URL 可解析且 scheme 合规
- 响应头过滤关闭时使用默认白名单策略
- 更新相关文档、示例与测试覆盖
This commit is contained in:
yangjianbo
2026-01-05 14:41:08 +08:00
parent 794a9f969b
commit 048ed061c2
16 changed files with 151 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
backend/internal/service/pricing_service.go
View File

@@ -410,7 +410,11 @@ func (s *PricingService) fetchRemoteHash() (string, error) {
func (s *PricingService) validatePricingURL(raw string) (string, error) {
if s.cfg != nil && !s.cfg.Security.URLAllowlist.Enabled {
return strings.TrimSpace(raw), nil
normalized, err := urlvalidator.ValidateURLFormat(raw, s.cfg.Security.URLAllowlist.AllowInsecureHTTP)
if err != nil {
return "", fmt.Errorf("invalid pricing url: %w", err)
}
return normalized, nil
}
normalized, err := urlvalidator.ValidateHTTPSURL(raw, urlvalidator.ValidationOptions{
AllowedHosts: s.cfg.Security.URLAllowlist.PricingHosts,