oadmin/sub2api
1
0
Fork 0
Code Issues Pull Requests 1 Actions 2 Packages Projects Releases Wiki Activity

fix(openai): 拒绝日志记录原始 User-Agent 便于攻击研判

Browse Source
This commit is contained in:
yangjianbo
2026-02-14 09:59:19 +08:00
parent 4bfa69bffa
commit ed31c54961
2 changed files with 3 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
backend/internal/service/openai_gateway_service.go
View File

@@ -332,7 +332,7 @@ func appendCodexCLIOnlyRejectedRequestFields(fields []zap.Field, c *gin.Context,
zap.String("request_host", strings.TrimSpace(req.Host)), zap.String("request_host", strings.TrimSpace(req.Host)),
zap.String("request_client_ip", strings.TrimSpace(c.ClientIP())), zap.String("request_client_ip", strings.TrimSpace(c.ClientIP())),
zap.String("request_remote_addr", strings.TrimSpace(req.RemoteAddr)), zap.String("request_remote_addr", strings.TrimSpace(req.RemoteAddr)),
zap.String("request_user_agent", buildDetailedUserAgent(req.Header.Values("User-Agent"))), zap.String("request_user_agent", strings.TrimSpace(req.Header.Get("User-Agent"))),
zap.String("request_content_type", strings.TrimSpace(req.Header.Get("Content-Type"))), zap.String("request_content_type", strings.TrimSpace(req.Header.Get("Content-Type"))),
zap.Int64("request_content_length", req.ContentLength), zap.Int64("request_content_length", req.ContentLength),
zap.Bool("request_stream", requestStream), zap.Bool("request_stream", requestStream),
@@ -351,21 +351,6 @@ func appendCodexCLIOnlyRejectedRequestFields(fields []zap.Field, c *gin.Context,
return fields return fields
} }
func buildDetailedUserAgent(values []string) string {
if len(values) == 0 {
return ""
}
result := make([]string, 0, len(values))
for _, value := range values {
v := strings.TrimSpace(value)
if v == "" {
continue
}
result = append(result, v)
}
return strings.Join(result, " | ")
}
func snapshotCodexCLIOnlyHeaders(header http.Header) map[string]string { func snapshotCodexCLIOnlyHeaders(header http.Header) map[string]string {
if len(header) == 0 { if len(header) == 0 {
return nil return nil

5
backend/internal/service/openai_gateway_service_codex_cli_only_test.go
View File

@@ -131,8 +131,7 @@ func TestLogCodexCLIOnlyDetection_RejectedIncludesRequestDetails(t *testing.T) {
rec := httptest.NewRecorder() rec := httptest.NewRecorder()
c, _ := gin.CreateTestContext(rec) c, _ := gin.CreateTestContext(rec)
c.Request = httptest.NewRequest(http.MethodPost, "/v1/responses?trace=1", bytes.NewReader(nil)) c.Request = httptest.NewRequest(http.MethodPost, "/v1/responses?trace=1", bytes.NewReader(nil))
c.Request.Header.Add("User-Agent", "curl/8.0") c.Request.Header.Set("User-Agent", "codex_cli_rs/0.98.0 (Windows 10.0.19045; x86_64) unknown")
c.Request.Header.Add("User-Agent", "Codex/1.2.3 (cli)")
c.Request.Header.Set("Content-Type", "application/json") c.Request.Header.Set("Content-Type", "application/json")
c.Request.Header.Set("OpenAI-Beta", "assistants=v2") c.Request.Header.Set("OpenAI-Beta", "assistants=v2")
@@ -144,7 +143,7 @@ func TestLogCodexCLIOnlyDetection_RejectedIncludesRequestDetails(t *testing.T) {
Reason: CodexClientRestrictionReasonNotMatchedUA, Reason: CodexClientRestrictionReasonNotMatchedUA,
}, body) }, body)
require.True(t, logSink.ContainsFieldValue("request_user_agent", "curl/8.0 | Codex/1.2.3 (cli)")) require.True(t, logSink.ContainsFieldValue("request_user_agent", "codex_cli_rs/0.98.0 (Windows 10.0.19045; x86_64) unknown"))
require.True(t, logSink.ContainsFieldValue("request_model", "gpt-5.2")) require.True(t, logSink.ContainsFieldValue("request_model", "gpt-5.2"))
require.True(t, logSink.ContainsFieldValue("request_query", "trace=1")) require.True(t, logSink.ContainsFieldValue("request_query", "trace=1"))
require.True(t, logSink.ContainsFieldValue("request_prompt_cache_key_sha256", hashSensitiveValueForLog("pc-123"))) require.True(t, logSink.ContainsFieldValue("request_prompt_cache_key_sha256", hashSensitiveValueForLog("pc-123")))