fix(安全): 关闭白名单时保留最小校验与默认白名单

实现 allow_insecure_http 并在关闭校验时执行最小格式验证 - 关闭 allowlist 时要求 URL 可解析且 scheme 合规 - 响应头过滤关闭时使用默认白名单策略 - 更新相关文档、示例与测试覆盖
2026-01-05 14:41:08 +08:00
parent 794a9f969b
commit 048ed061c2
16 changed files with 151 additions and 50 deletions
--- a/backend/internal/util/responseheaders/responseheaders.go
+++ b/backend/internal/util/responseheaders/responseheaders.go
@@ -42,28 +42,31 @@ var hopByHopHeaders = map[string]struct{}{
 }

 func FilterHeaders(src http.Header, cfg config.ResponseHeaderConfig) http.Header {
-	if !cfg.Enabled {
-		return passThroughHeaders(src)
-	}
 	allowed := make(map[string]struct{}, len(defaultAllowed)+len(cfg.AdditionalAllowed))
 	for key := range defaultAllowed {
 		allowed[key] = struct{}{}
 	}
-	for _, key := range cfg.AdditionalAllowed {
-		normalized := strings.ToLower(strings.TrimSpace(key))
-		if normalized == "" {
-			continue
+	// 关闭时只使用默认白名单，additional/force_remove 不生效
+	if cfg.Enabled {
+		for _, key := range cfg.AdditionalAllowed {
+			normalized := strings.ToLower(strings.TrimSpace(key))
+			if normalized == "" {
+				continue
+			}
+			allowed[normalized] = struct{}{}
 		}
-		allowed[normalized] = struct{}{}
 	}

-	forceRemove := make(map[string]struct{}, len(cfg.ForceRemove))
-	for _, key := range cfg.ForceRemove {
-		normalized := strings.ToLower(strings.TrimSpace(key))
-		if normalized == "" {
-			continue
+	forceRemove := map[string]struct{}{}
+	if cfg.Enabled {
+		forceRemove = make(map[string]struct{}, len(cfg.ForceRemove))
+		for _, key := range cfg.ForceRemove {
+			normalized := strings.ToLower(strings.TrimSpace(key))
+			if normalized == "" {
+				continue
+			}
+			forceRemove[normalized] = struct{}{}
 		}
-		forceRemove[normalized] = struct{}{}
 	}

 	filtered := make(http.Header, len(src))
@@ -94,17 +97,3 @@ func WriteFilteredHeaders(dst http.Header, src http.Header, cfg config.ResponseH
 		}
 	}
 }
-
-func passThroughHeaders(src http.Header) http.Header {
-	filtered := make(http.Header, len(src))
-	for key, values := range src {
-		lower := strings.ToLower(key)
-		if _, isHopByHop := hopByHopHeaders[lower]; isHopByHop {
-			continue
-		}
-		for _, value := range values {
-			filtered.Add(key, value)
-		}
-	}
-	return filtered
-}
--- a/backend/internal/util/responseheaders/responseheaders_test.go
+++ b/backend/internal/util/responseheaders/responseheaders_test.go
@@ -7,28 +7,28 @@ import (
 	"github.com/Wei-Shaw/sub2api/internal/config"
 )

-func TestFilterHeadersDisabledPassThrough(t *testing.T) {
+func TestFilterHeadersDisabledUsesDefaultAllowlist(t *testing.T) {
 	src := http.Header{}
 	src.Add("Content-Type", "application/json")
+	src.Add("X-Request-Id", "req-123")
 	src.Add("X-Test", "ok")
-	src.Add("X-Remove", "keep")
 	src.Add("Connection", "keep-alive")
 	src.Add("Content-Length", "123")

 	cfg := config.ResponseHeaderConfig{
 		Enabled:     false,
-		ForceRemove: []string{"x-test"},
+		ForceRemove: []string{"x-request-id"},
 	}

 	filtered := FilterHeaders(src, cfg)
 	if filtered.Get("Content-Type") != "application/json" {
 		t.Fatalf("expected Content-Type passthrough, got %q", filtered.Get("Content-Type"))
 	}
-	if filtered.Get("X-Test") != "ok" {
-		t.Fatalf("expected X-Test passthrough, got %q", filtered.Get("X-Test"))
+	if filtered.Get("X-Request-Id") != "req-123" {
+		t.Fatalf("expected X-Request-Id allowed, got %q", filtered.Get("X-Request-Id"))
 	}
-	if filtered.Get("X-Remove") != "keep" {
-		t.Fatalf("expected X-Remove passthrough, got %q", filtered.Get("X-Remove"))
+	if filtered.Get("X-Test") != "" {
+		t.Fatalf("expected X-Test removed, got %q", filtered.Get("X-Test"))
 	}
 	if filtered.Get("Connection") != "" {
 		t.Fatalf("expected Connection to be removed, got %q", filtered.Get("Connection"))