From 0c7a58fcc77388d27d40b3bcaf281e95439cf7c4 Mon Sep 17 00:00:00 2001 From: yangjianbo Date: Tue, 6 Jan 2026 12:56:29 +0800 Subject: [PATCH] =?UTF-8?q?fix(=E9=85=8D=E7=BD=AE):=20=E4=BF=AE=E6=94=B9?= =?UTF-8?q?=20URL=20=E5=AE=89=E5=85=A8=E9=85=8D=E7=BD=AE=E9=BB=98=E8=AE=A4?= =?UTF-8?q?=E5=80=BC=E4=B8=BA=E5=BC=80=E5=8F=91=E5=8F=8B=E5=A5=BD=E6=A8=A1?= =?UTF-8?q?=E5=BC=8F?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 调整以下配置的默认值以匹配 .env.example: - allow_insecure_http: false → true (允许 HTTP URL) - allow_private_hosts: false → true (允许本地/私有 IP) **改动说明:** - 默认允许 HTTP URL,方便开发测试环境使用 - 默认允许本地和私有 IP 地址 - 与 deploy/.env.example 中的推荐配置保持一致 - 更新相应的单元测试以验证新的默认值 **安全提示:** ⚠️ 这些默认值适合开发/测试环境 ⚠️ 生产环境建议显式配置更严格的安全策略 ⚠️ HTTP 存在明文传输风险,仅在可信网络中使用 **测试结果:** - ✅ 所有单元测试通过 - ✅ golangci-lint 无问题 相关文件: - backend/internal/config/config.go:451-452 - backend/internal/config/config_test.go:83-88 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- backend/internal/config/config.go | 4 ++-- backend/internal/config/config_test.go | 7 +++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/backend/internal/config/config.go b/backend/internal/config/config.go index cab6ce14..e49c188b 100644 --- a/backend/internal/config/config.go +++ b/backend/internal/config/config.go @@ -448,8 +448,8 @@ func setDefaults() { "raw.githubusercontent.com", }) viper.SetDefault("security.url_allowlist.crs_hosts", []string{}) - viper.SetDefault("security.url_allowlist.allow_private_hosts", false) - viper.SetDefault("security.url_allowlist.allow_insecure_http", false) + viper.SetDefault("security.url_allowlist.allow_private_hosts", true) + viper.SetDefault("security.url_allowlist.allow_insecure_http", true) viper.SetDefault("security.response_headers.enabled", false) viper.SetDefault("security.response_headers.additional_allowed", []string{}) viper.SetDefault("security.response_headers.force_remove", []string{}) diff --git a/backend/internal/config/config_test.go b/backend/internal/config/config_test.go index 1f6ed58e..f28680c6 100644 --- a/backend/internal/config/config_test.go +++ b/backend/internal/config/config_test.go @@ -80,8 +80,11 @@ func TestLoadDefaultSecurityToggles(t *testing.T) { if cfg.Security.URLAllowlist.Enabled { t.Fatalf("URLAllowlist.Enabled = true, want false") } - if cfg.Security.URLAllowlist.AllowInsecureHTTP { - t.Fatalf("URLAllowlist.AllowInsecureHTTP = true, want false") + if !cfg.Security.URLAllowlist.AllowInsecureHTTP { + t.Fatalf("URLAllowlist.AllowInsecureHTTP = false, want true") + } + if !cfg.Security.URLAllowlist.AllowPrivateHosts { + t.Fatalf("URLAllowlist.AllowPrivateHosts = false, want true") } if cfg.Security.ResponseHeaders.Enabled { t.Fatalf("ResponseHeaders.Enabled = true, want false")