fix(安全): 修复上游校验与 URL 清理问题

增加请求阶段 DNS 解析校验，阻断重绑定到私网补充默认透传 WWW-Authenticate 头，保留认证挑战前端相对 URL 过滤拒绝 // 协议相对路径测试: go test ./internal/repository -run TestGitHubReleaseServiceSuite 测试: go test ./internal/repository -run TestTurnstileServiceSuite 测试: go test ./internal/repository -run TestProxyProbeServiceSuite 测试: go test ./internal/repository -run TestClaudeUsageServiceSuite
2026-01-03 10:52:24 +08:00
parent bd4bf00856
commit 25e1632628
18 changed files with 168 additions and 58 deletions
--- a/backend/internal/repository/github_release_service.go
+++ b/backend/internal/repository/github_release_service.go
@@ -14,18 +14,23 @@ import (
 )

 type githubReleaseClient struct {
-	httpClient *http.Client
+	httpClient        *http.Client
+	allowPrivateHosts bool
 }

 func NewGitHubReleaseClient() service.GitHubReleaseClient {
+	allowPrivate := false
 	sharedClient, err := httpclient.GetClient(httpclient.Options{
-		Timeout: 30 * time.Second,
+		Timeout:            30 * time.Second,
+		ValidateResolvedIP: true,
+		AllowPrivateHosts:  allowPrivate,
 	})
 	if err != nil {
 		sharedClient = &http.Client{Timeout: 30 * time.Second}
 	}
 	return &githubReleaseClient{
-		httpClient: sharedClient,
+		httpClient:        sharedClient,
+		allowPrivateHosts: allowPrivate,
 	}
 }

@@ -64,7 +69,9 @@ func (c *githubReleaseClient) DownloadFile(ctx context.Context, url, dest string
 	}

 	downloadClient, err := httpclient.GetClient(httpclient.Options{
-		Timeout: 10 * time.Minute,
+		Timeout:            10 * time.Minute,
+		ValidateResolvedIP: true,
+		AllowPrivateHosts:  c.allowPrivateHosts,
 	})
 	if err != nil {
 		downloadClient = &http.Client{Timeout: 10 * time.Minute}