fix(config): 禁止 server.frontend_url 携带 query/userinfo

2026-02-07 17:37:08 +08:00
parent e75d3e3584
commit a84604dceb
2 changed files with 25 additions and 0 deletions
--- a/backend/internal/config/config_test.go
+++ b/backend/internal/config/config_test.go
@@ -437,6 +437,21 @@ func TestValidateServerFrontendURL(t *testing.T) {
 		t.Fatalf("Validate() frontend_url valid error: %v", err)
 	}

+	cfg.Server.FrontendURL = "https://example.com/path"
+	if err := cfg.Validate(); err != nil {
+		t.Fatalf("Validate() frontend_url with path valid error: %v", err)
+	}
+
+	cfg.Server.FrontendURL = "https://example.com?utm=1"
+	if err := cfg.Validate(); err == nil {
+		t.Fatalf("Validate() should reject server.frontend_url with query")
+	}
+
+	cfg.Server.FrontendURL = "https://user:pass@example.com"
+	if err := cfg.Validate(); err == nil {
+		t.Fatalf("Validate() should reject server.frontend_url with userinfo")
+	}
+
 	cfg.Server.FrontendURL = "/relative"
 	if err := cfg.Validate(); err == nil {
 		t.Fatalf("Validate() should reject relative server.frontend_url")