fix(安全): 修复依赖漏洞并强化安全扫描

主要改动： - 固定 Go 1.25.5 与 CI 校验并更新扫描流程 - 升级 quic-go、x/crypto、req 等依赖并通过 govulncheck - 强化 JWT 校验、TLS 配置与 xlsx 动态加载 - 新增审计豁免清单与校验脚本
2026-01-06 11:36:38 +08:00
parent d936eb6518
commit 3f0017d1f1
22 changed files with 1127 additions and 87 deletions
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -147,7 +147,7 @@ type CSPConfig struct {
 }

 type ProxyProbeConfig struct {
-	InsecureSkipVerify bool `mapstructure:"insecure_skip_verify"`
+	InsecureSkipVerify bool `mapstructure:"insecure_skip_verify"` // 已禁用：禁止跳过 TLS 证书验证
 }

 type BillingConfig struct {
--- a/backend/internal/pkg/httpclient/pool.go
+++ b/backend/internal/pkg/httpclient/pool.go
@@ -16,7 +16,6 @@
 package httpclient

 import (
-	"crypto/tls"
 	"fmt"
 	"net/http"
 	"net/url"
@@ -40,7 +39,7 @@ type Options struct {
 	ProxyURL              string        // 代理 URL（支持 http/https/socks5/socks5h）
 	Timeout               time.Duration // 请求总超时时间
 	ResponseHeaderTimeout time.Duration // 等待响应头超时时间
-	InsecureSkipVerify    bool          // 是否跳过 TLS 证书验证
+	InsecureSkipVerify    bool          // 是否跳过 TLS 证书验证（已禁用，不允许设置为 true）
 	ProxyStrict           bool          // 严格代理模式：代理失败时返回错误而非回退
 	ValidateResolvedIP    bool          // 是否校验解析后的 IP（防止 DNS Rebinding）
 	AllowPrivateHosts     bool          // 允许私有地址解析（与 ValidateResolvedIP 一起使用）
@@ -113,7 +112,8 @@ func buildTransport(opts Options) (*http.Transport, error) {
 	}

 	if opts.InsecureSkipVerify {
-		transport.TLSClientConfig = &tls.Config{InsecureSkipVerify: true}
+		// 安全要求：禁止跳过证书验证，避免中间人攻击。
+		return nil, fmt.Errorf("insecure_skip_verify is not allowed; install a trusted certificate instead")
 	}

 	proxyURL := strings.TrimSpace(opts.ProxyURL)
--- a/backend/internal/repository/proxy_probe_service.go
+++ b/backend/internal/repository/proxy_probe_service.go
@@ -24,7 +24,7 @@ func NewProxyExitInfoProber(cfg *config.Config) service.ProxyExitInfoProber {
 		validateResolvedIP = cfg.Security.URLAllowlist.Enabled
 	}
 	if insecure {
-		log.Printf("[ProxyProbe] Warning: TLS verification is disabled for proxy probing.")
+		log.Printf("[ProxyProbe] Warning: insecure_skip_verify is not allowed and will cause probe failure.")
 	}
 	return &proxyProbeService{
 		ipInfoURL:          defaultIPInfoURL,
--- a/backend/internal/service/auth_service.go
+++ b/backend/internal/service/auth_service.go
@@ -20,12 +20,16 @@ var (
 	ErrEmailExists         = infraerrors.Conflict("EMAIL_EXISTS", "email already exists")
 	ErrInvalidToken        = infraerrors.Unauthorized("INVALID_TOKEN", "invalid token")
 	ErrTokenExpired        = infraerrors.Unauthorized("TOKEN_EXPIRED", "token has expired")
+	ErrTokenTooLarge       = infraerrors.BadRequest("TOKEN_TOO_LARGE", "token too large")
 	ErrTokenRevoked        = infraerrors.Unauthorized("TOKEN_REVOKED", "token has been revoked")
 	ErrEmailVerifyRequired = infraerrors.BadRequest("EMAIL_VERIFY_REQUIRED", "email verification is required")
 	ErrRegDisabled         = infraerrors.Forbidden("REGISTRATION_DISABLED", "registration is currently disabled")
 	ErrServiceUnavailable  = infraerrors.ServiceUnavailable("SERVICE_UNAVAILABLE", "service temporarily unavailable")
 )

+// maxTokenLength 限制 token 大小，避免超长 header 触发解析时的异常内存分配。
+const maxTokenLength = 8192
+
 // JWTClaims JWT载荷数据
 type JWTClaims struct {
 	UserID       int64  `json:"user_id"`
@@ -309,7 +313,20 @@ func (s *AuthService) Login(ctx context.Context, email, password string) (string

 // ValidateToken 验证JWT token并返回用户声明
 func (s *AuthService) ValidateToken(tokenString string) (*JWTClaims, error) {
-	token, err := jwt.ParseWithClaims(tokenString, &JWTClaims{}, func(token *jwt.Token) (any, error) {
+	// 先做长度校验，尽早拒绝异常超长 token，降低 DoS 风险。
+	if len(tokenString) > maxTokenLength {
+		return nil, ErrTokenTooLarge
+	}
+
+	// 使用解析器并限制可接受的签名算法，防止算法混淆。
+	parser := jwt.NewParser(jwt.WithValidMethods([]string{
+		jwt.SigningMethodHS256.Name,
+		jwt.SigningMethodHS384.Name,
+		jwt.SigningMethodHS512.Name,
+	}))
+
+	// 保留默认 claims 校验（exp/nbf），避免放行过期或未生效的 token。
+	token, err := parser.ParseWithClaims(tokenString, &JWTClaims{}, func(token *jwt.Token) (any, error) {
 		// 验证签名方法
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method: %v", token.Header["alg"])
--- a/backend/internal/service/email_service.go
+++ b/backend/internal/service/email_service.go
@@ -140,6 +140,8 @@ func (s *EmailService) SendEmailWithConfig(config *SMTPConfig, to, subject, body
 func (s *EmailService) sendMailTLS(addr string, auth smtp.Auth, from, to string, msg []byte, host string) error {
 	tlsConfig := &tls.Config{
 		ServerName: host,
+		// 强制 TLS 1.2+，避免协议降级导致的弱加密风险。
+		MinVersion: tls.VersionTLS12,
 	}

 	conn, err := tls.Dial("tcp", addr, tlsConfig)
@@ -311,7 +313,11 @@ func (s *EmailService) TestSMTPConnectionWithConfig(config *SMTPConfig) error {
 	addr := fmt.Sprintf("%s:%d", config.Host, config.Port)

 	if config.UseTLS {
-		tlsConfig := &tls.Config{ServerName: config.Host}
+		tlsConfig := &tls.Config{
+			ServerName: config.Host,
+			// 与发送逻辑一致，显式要求 TLS 1.2+。
+			MinVersion: tls.VersionTLS12,
+		}
 		conn, err := tls.Dial("tcp", addr, tlsConfig)
 		if err != nil {
 			return fmt.Errorf("tls connection failed: %w", err)