fix(config): 禁止 server.frontend_url 携带 query/userinfo

2026-02-07 17:37:08 +08:00
parent e75d3e3584
commit a84604dceb
2 changed files with 25 additions and 0 deletions
--- a/backend/internal/config/config.go
+++ b/backend/internal/config/config.go
@@ -957,6 +957,16 @@ func (c *Config) Validate() error {
 		if err := ValidateAbsoluteHTTPURL(c.Server.FrontendURL); err != nil {
 			return fmt.Errorf("server.frontend_url invalid: %w", err)
 		}
+		u, err := url.Parse(strings.TrimSpace(c.Server.FrontendURL))
+		if err != nil {
+			return fmt.Errorf("server.frontend_url invalid: %w", err)
+		}
+		if u.RawQuery != "" || u.ForceQuery {
+			return fmt.Errorf("server.frontend_url invalid: must not include query")
+		}
+		if u.User != nil {
+			return fmt.Errorf("server.frontend_url invalid: must not include userinfo")
+		}
 		warnIfInsecureURL("server.frontend_url", c.Server.FrontendURL)
 	}
 	if c.JWT.ExpireHour <= 0 {