fix(安全): 关闭白名单时保留最小校验与默认白名单

实现 allow_insecure_http 并在关闭校验时执行最小格式验证 - 关闭 allowlist 时要求 URL 可解析且 scheme 合规 - 响应头过滤关闭时使用默认白名单策略 - 更新相关文档、示例与测试覆盖
2026-01-05 14:41:08 +08:00
parent 794a9f969b
commit 048ed061c2
16 changed files with 151 additions and 50 deletions
--- a/backend/internal/util/responseheaders/responseheaders.go
+++ b/backend/internal/util/responseheaders/responseheaders.go
@@ -42,28 +42,31 @@ var hopByHopHeaders = map[string]struct{}{
 }

 func FilterHeaders(src http.Header, cfg config.ResponseHeaderConfig) http.Header {
-	if !cfg.Enabled {
-		return passThroughHeaders(src)
-	}
 	allowed := make(map[string]struct{}, len(defaultAllowed)+len(cfg.AdditionalAllowed))
 	for key := range defaultAllowed {
 		allowed[key] = struct{}{}
 	}
-	for _, key := range cfg.AdditionalAllowed {
-		normalized := strings.ToLower(strings.TrimSpace(key))
-		if normalized == "" {
-			continue
+	// 关闭时只使用默认白名单，additional/force_remove 不生效
+	if cfg.Enabled {
+		for _, key := range cfg.AdditionalAllowed {
+			normalized := strings.ToLower(strings.TrimSpace(key))
+			if normalized == "" {
+				continue
+			}
+			allowed[normalized] = struct{}{}
 		}
-		allowed[normalized] = struct{}{}
 	}

-	forceRemove := make(map[string]struct{}, len(cfg.ForceRemove))
-	for _, key := range cfg.ForceRemove {
-		normalized := strings.ToLower(strings.TrimSpace(key))
-		if normalized == "" {
-			continue
+	forceRemove := map[string]struct{}{}
+	if cfg.Enabled {
+		forceRemove = make(map[string]struct{}, len(cfg.ForceRemove))
+		for _, key := range cfg.ForceRemove {
+			normalized := strings.ToLower(strings.TrimSpace(key))
+			if normalized == "" {
+				continue
+			}
+			forceRemove[normalized] = struct{}{}
 		}
-		forceRemove[normalized] = struct{}{}
 	}

 	filtered := make(http.Header, len(src))
@@ -94,17 +97,3 @@ func WriteFilteredHeaders(dst http.Header, src http.Header, cfg config.ResponseH
 		}
 	}
 }
-
-func passThroughHeaders(src http.Header) http.Header {
-	filtered := make(http.Header, len(src))
-	for key, values := range src {
-		lower := strings.ToLower(key)
-		if _, isHopByHop := hopByHopHeaders[lower]; isHopByHop {
-			continue
-		}
-		for _, value := range values {
-			filtered.Add(key, value)
-		}
-	}
-	return filtered
-}