fix(安全): 关闭白名单时保留最小校验与默认白名单

实现 allow_insecure_http 并在关闭校验时执行最小格式验证 - 关闭 allowlist 时要求 URL 可解析且 scheme 合规 - 响应头过滤关闭时使用默认白名单策略 - 更新相关文档、示例与测试覆盖
2026-01-05 14:41:08 +08:00
parent 794a9f969b
commit 048ed061c2
16 changed files with 151 additions and 50 deletions
--- a/backend/internal/util/responseheaders/responseheaders_test.go
+++ b/backend/internal/util/responseheaders/responseheaders_test.go
@@ -7,28 +7,28 @@ import (
 	"github.com/Wei-Shaw/sub2api/internal/config"
 )

-func TestFilterHeadersDisabledPassThrough(t *testing.T) {
+func TestFilterHeadersDisabledUsesDefaultAllowlist(t *testing.T) {
 	src := http.Header{}
 	src.Add("Content-Type", "application/json")
+	src.Add("X-Request-Id", "req-123")
 	src.Add("X-Test", "ok")
-	src.Add("X-Remove", "keep")
 	src.Add("Connection", "keep-alive")
 	src.Add("Content-Length", "123")

 	cfg := config.ResponseHeaderConfig{
 		Enabled:     false,
-		ForceRemove: []string{"x-test"},
+		ForceRemove: []string{"x-request-id"},
 	}

 	filtered := FilterHeaders(src, cfg)
 	if filtered.Get("Content-Type") != "application/json" {
 		t.Fatalf("expected Content-Type passthrough, got %q", filtered.Get("Content-Type"))
 	}
-	if filtered.Get("X-Test") != "ok" {
-		t.Fatalf("expected X-Test passthrough, got %q", filtered.Get("X-Test"))
+	if filtered.Get("X-Request-Id") != "req-123" {
+		t.Fatalf("expected X-Request-Id allowed, got %q", filtered.Get("X-Request-Id"))
 	}
-	if filtered.Get("X-Remove") != "keep" {
-		t.Fatalf("expected X-Remove passthrough, got %q", filtered.Get("X-Remove"))
+	if filtered.Get("X-Test") != "" {
+		t.Fatalf("expected X-Test removed, got %q", filtered.Get("X-Test"))
 	}
 	if filtered.Get("Connection") != "" {
 		t.Fatalf("expected Connection to be removed, got %q", filtered.Get("Connection"))