fix(安全): 修复上游校验与 URL 清理问题

增加请求阶段 DNS 解析校验，阻断重绑定到私网补充默认透传 WWW-Authenticate 头，保留认证挑战前端相对 URL 过滤拒绝 // 协议相对路径测试: go test ./internal/repository -run TestGitHubReleaseServiceSuite 测试: go test ./internal/repository -run TestTurnstileServiceSuite 测试: go test ./internal/repository -run TestProxyProbeServiceSuite 测试: go test ./internal/repository -run TestClaudeUsageServiceSuite
2026-01-03 10:52:24 +08:00
parent bd4bf00856
commit 25e1632628
18 changed files with 168 additions and 58 deletions
--- a/backend/internal/repository/turnstile_service.go
+++ b/backend/internal/repository/turnstile_service.go
@@ -22,7 +22,8 @@ type turnstileVerifier struct {

 func NewTurnstileVerifier() service.TurnstileVerifier {
 	sharedClient, err := httpclient.GetClient(httpclient.Options{
-		Timeout: 10 * time.Second,
+		Timeout:            10 * time.Second,
+		ValidateResolvedIP: true,
 	})
 	if err != nil {
 		sharedClient = &http.Client{Timeout: 10 * time.Second}