fix(安全): 关闭白名单时保留最小校验与默认白名单
实现 allow_insecure_http 并在关闭校验时执行最小格式验证 - 关闭 allowlist 时要求 URL 可解析且 scheme 合规 - 响应头过滤关闭时使用默认白名单策略 - 更新相关文档、示例与测试覆盖
This commit is contained in:
@@ -42,28 +42,31 @@ var hopByHopHeaders = map[string]struct{}{
|
||||
}
|
||||
|
||||
func FilterHeaders(src http.Header, cfg config.ResponseHeaderConfig) http.Header {
|
||||
if !cfg.Enabled {
|
||||
return passThroughHeaders(src)
|
||||
}
|
||||
allowed := make(map[string]struct{}, len(defaultAllowed)+len(cfg.AdditionalAllowed))
|
||||
for key := range defaultAllowed {
|
||||
allowed[key] = struct{}{}
|
||||
}
|
||||
for _, key := range cfg.AdditionalAllowed {
|
||||
normalized := strings.ToLower(strings.TrimSpace(key))
|
||||
if normalized == "" {
|
||||
continue
|
||||
// 关闭时只使用默认白名单,additional/force_remove 不生效
|
||||
if cfg.Enabled {
|
||||
for _, key := range cfg.AdditionalAllowed {
|
||||
normalized := strings.ToLower(strings.TrimSpace(key))
|
||||
if normalized == "" {
|
||||
continue
|
||||
}
|
||||
allowed[normalized] = struct{}{}
|
||||
}
|
||||
allowed[normalized] = struct{}{}
|
||||
}
|
||||
|
||||
forceRemove := make(map[string]struct{}, len(cfg.ForceRemove))
|
||||
for _, key := range cfg.ForceRemove {
|
||||
normalized := strings.ToLower(strings.TrimSpace(key))
|
||||
if normalized == "" {
|
||||
continue
|
||||
forceRemove := map[string]struct{}{}
|
||||
if cfg.Enabled {
|
||||
forceRemove = make(map[string]struct{}, len(cfg.ForceRemove))
|
||||
for _, key := range cfg.ForceRemove {
|
||||
normalized := strings.ToLower(strings.TrimSpace(key))
|
||||
if normalized == "" {
|
||||
continue
|
||||
}
|
||||
forceRemove[normalized] = struct{}{}
|
||||
}
|
||||
forceRemove[normalized] = struct{}{}
|
||||
}
|
||||
|
||||
filtered := make(http.Header, len(src))
|
||||
@@ -94,17 +97,3 @@ func WriteFilteredHeaders(dst http.Header, src http.Header, cfg config.ResponseH
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
func passThroughHeaders(src http.Header) http.Header {
|
||||
filtered := make(http.Header, len(src))
|
||||
for key, values := range src {
|
||||
lower := strings.ToLower(key)
|
||||
if _, isHopByHop := hopByHopHeaders[lower]; isHopByHop {
|
||||
continue
|
||||
}
|
||||
for _, value := range values {
|
||||
filtered.Add(key, value)
|
||||
}
|
||||
}
|
||||
return filtered
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user