oadmin/sub2api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: address audit findings for notify, websearch and security

Browse Source 
- Fix GetByKeyForAuth missing user.FieldEmail and user.FieldUsername (notifications sent to empty address)
- Guard against empty email in collectBalanceNotifyRecipients
- Remove non-atomic TotalRecharged read-modify-write in admin balance adjustment
- HTML-escape userName/siteName/accountName in notification email templates
- Fix timer leak in ProfileBalanceNotifyCard (add onUnmounted cleanup)
- Add warning log on websearch proxy URL resolution failure
This commit is contained in:
erio
2026-04-12 18:11:47 +08:00
parent eba289a7ff
commit 4e96a6faec
5 changed files with 15 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
backend/internal/service/balance_notify_service.go
View File

@@ -4,6 +4,7 @@ import (
"context"
"encoding/json"
"fmt"
"html"
"log/slog"
"strconv"
"strings"
@@ -195,7 +196,10 @@ func (s *BalanceNotifyService) getSiteName(ctx context.Context) string {
// collectBalanceNotifyRecipients collects all email recipients for balance notifications.
func (s *BalanceNotifyService) collectBalanceNotifyRecipients(user *User) []string {
recipients := []string{user.Email}
var recipients []string
if user.Email != "" {
recipients = append(recipients, user.Email)
}
for _, extra := range user.BalanceNotifyExtraEmails {
email := strings.TrimSpace(extra)
if email != "" && !strings.EqualFold(email, user.Email) {
@@ -224,7 +228,7 @@ func (s *BalanceNotifyService) sendBalanceLowEmails(recipients []string, userNam
displayName = userEmail
}
subject := fmt.Sprintf("[%s] 余额不足提醒 / Balance Low Alert", siteName)
body := s.buildBalanceLowEmailBody(displayName, balance, threshold, siteName)
body := s.buildBalanceLowEmailBody(html.EscapeString(displayName), balance, threshold, html.EscapeString(siteName))
s.sendEmails(recipients, subject, body, "user_email", userEmail, "balance", balance)
}
@@ -236,7 +240,7 @@ func (s *BalanceNotifyService) sendQuotaAlertEmails(adminEmails []string, accoun
}
subject := fmt.Sprintf("[%s] 账号限额告警 / Account Quota Alert - %s", siteName, accountName)
body := s.buildQuotaAlertEmailBody(accountName, dimLabel, used, limit, threshold, siteName)
body := s.buildQuotaAlertEmailBody(html.EscapeString(accountName), html.EscapeString(dimLabel), used, limit, threshold, html.EscapeString(siteName))
s.sendEmails(adminEmails, subject, body, "account", accountName, "dimension", dimension)
}