fix(Sora): 加固直连安全与下载限制

补充图片输入 SSRF 防护与重定向限制\n增加媒体下载超时/大小上限配置并更新示例\n完善 recent_tasks 轮询回退策略与相关测试\n\n测试: go test ./... -tags=unit
2026-02-01 22:10:15 +08:00
parent dcf5f60237
commit 99250ec527
8 changed files with 301 additions and 13 deletions
--- a/backend/internal/service/sora_client.go
+++ b/backend/internal/service/sora_client.go
@@ -359,18 +359,43 @@ func (c *SoraDirectClient) CreateVideoTask(ctx context.Context, account *Account
 }

 func (c *SoraDirectClient) GetImageTask(ctx context.Context, account *Account, taskID string) (*SoraImageTaskStatus, error) {
-	token, err := c.getAccessToken(ctx, account)
+	status, found, err := c.fetchRecentImageTask(ctx, account, taskID, c.recentTaskLimit())
 	if err != nil {
 		return nil, err
 	}
-	headers := c.buildBaseHeaders(token, c.defaultUserAgent())
-	respBody, _, err := c.doRequest(ctx, account, http.MethodGet, c.buildURL("/v2/recent_tasks?limit=20"), headers, nil, false)
+	if found {
+		return status, nil
+	}
+	maxLimit := c.recentTaskLimitMax()
+	if maxLimit > 0 && maxLimit != c.recentTaskLimit() {
+		status, found, err = c.fetchRecentImageTask(ctx, account, taskID, maxLimit)
+		if err != nil {
+			return nil, err
+		}
+		if found {
+			return status, nil
+		}
+	}
+	return &SoraImageTaskStatus{ID: taskID, Status: "processing"}, nil
+}
+
+func (c *SoraDirectClient) fetchRecentImageTask(ctx context.Context, account *Account, taskID string, limit int) (*SoraImageTaskStatus, bool, error) {
+	token, err := c.getAccessToken(ctx, account)
 	if err != nil {
-		return nil, err
+		return nil, false, err
+	}
+	headers := c.buildBaseHeaders(token, c.defaultUserAgent())
+	if limit <= 0 {
+		limit = 20
+	}
+	endpoint := fmt.Sprintf("/v2/recent_tasks?limit=%d", limit)
+	respBody, _, err := c.doRequest(ctx, account, http.MethodGet, c.buildURL(endpoint), headers, nil, false)
+	if err != nil {
+		return nil, false, err
 	}
 	var resp map[string]any
 	if err := json.Unmarshal(respBody, &resp); err != nil {
-		return nil, err
+		return nil, false, err
 	}
 	taskResponses, _ := resp["task_responses"].([]any)
 	for _, item := range taskResponses {
@@ -401,10 +426,30 @@ func (c *SoraDirectClient) GetImageTask(ctx context.Context, account *Account, t
 				Status:      status,
 				ProgressPct: progress,
 				URLs:        urls,
-			}, nil
+			}, true, nil
 		}
 	}
-	return &SoraImageTaskStatus{ID: taskID, Status: "processing"}, nil
+	return &SoraImageTaskStatus{ID: taskID, Status: "processing"}, false, nil
+}
+
+func (c *SoraDirectClient) recentTaskLimit() int {
+	if c == nil || c.cfg == nil {
+		return 20
+	}
+	if c.cfg.Sora.Client.RecentTaskLimit > 0 {
+		return c.cfg.Sora.Client.RecentTaskLimit
+	}
+	return 20
+}
+
+func (c *SoraDirectClient) recentTaskLimitMax() int {
+	if c == nil || c.cfg == nil {
+		return 0
+	}
+	if c.cfg.Sora.Client.RecentTaskLimitMax > 0 {
+		return c.cfg.Sora.Client.RecentTaskLimitMax
+	}
+	return 0
 }

 func (c *SoraDirectClient) GetVideoTask(ctx context.Context, account *Account, taskID string) (*SoraVideoTaskStatus, error) {