2588fa6a8f
基于 backend-code-audit 审计报告,修复剩余 P0/P1/P2 共 34 项问题: P0 生产 Bug: - 修复 time.Since(time.Now()) 计时逻辑错误 (P0-03) - generateRandomID 改用 crypto/rand 替代固定索引 (P0-04) - IncrementQuotaUsed 重写为 Ent 原子操作消除 TOCTOU 竞态 (P0-05) 安全加固: - gateway/openai handler 错误响应替换为泛化消息,防止内部信息泄露 (P1-14) - usage_log_repo dateFormat 参数改用白名单映射,防止 SQL 注入 (P1-16) - 默认配置安全加固:sslmode=prefer、response_headers=true、mode=release (P1-18/19, P2-15) 性能优化: - gateway handler 循环内 defer 替换为显式 releaseWait 闭包 (P1-02) - group_repo/promo_code_repo Count 前 Clone 查询避免状态污染 (P1-03) - usage_log_repo 四个查询添加 LIMIT 10000 防止 OOM (P1-07) - GetBatchUsageStats 添加时间范围参数,默认最近 30 天 (P1-10) - ip.go CIDR 预编译为包级变量 (P1-11) - BatchUpdateCredentials 重构为先验证后更新 (P1-13) 缓存一致性: - billing_cache 添加 jitteredTTL 防止缓存雪崩 (P2-10) - DeductUserBalance/UpdateSubscriptionUsage 错误传播修复 (P2-12) - UserService.UpdateBalance 成功后异步失效 billingCache (P2-13) 代码质量: - search 截断改为按 rune 处理,支持多字节字符 (P2-01) - TLS Handshake 改为 HandshakeContext 支持 context 取消 (P2-07) - CORS 预检添加 Access-Control-Max-Age: 86400 (P2-16) 测试覆盖: - 新增 user_service_test.go(UpdateBalance 缓存失效 6 个用例) - 新增 batch_update_credentials_test.go(fail-fast + 类型验证 7 个用例) - 新增 response_transformer_test.go、ip_test.go、usage_log_repo_unit_test.go、search_truncate_test.go - 集成测试:IncrementQuotaUsed 并发测试、billing_cache 错误传播测试 - config_test.go 补充 server.mode/sslmode 默认值断言 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
42 lines
946 B
Go
42 lines
946 B
Go
//go:build unit
|
|
|
|
package repository
|
|
|
|
import (
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/require"
|
|
)
|
|
|
|
func TestSafeDateFormat(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
granularity string
|
|
expected string
|
|
}{
|
|
// 合法值
|
|
{"hour", "hour", "YYYY-MM-DD HH24:00"},
|
|
{"day", "day", "YYYY-MM-DD"},
|
|
{"week", "week", "IYYY-IW"},
|
|
{"month", "month", "YYYY-MM"},
|
|
|
|
// 非法值回退到默认
|
|
{"空字符串", "", "YYYY-MM-DD"},
|
|
{"未知粒度 year", "year", "YYYY-MM-DD"},
|
|
{"未知粒度 minute", "minute", "YYYY-MM-DD"},
|
|
|
|
// 恶意字符串
|
|
{"SQL 注入尝试", "'; DROP TABLE users; --", "YYYY-MM-DD"},
|
|
{"带引号", "day'", "YYYY-MM-DD"},
|
|
{"带括号", "day)", "YYYY-MM-DD"},
|
|
{"Unicode", "日", "YYYY-MM-DD"},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
got := safeDateFormat(tc.granularity)
|
|
require.Equal(t, tc.expected, got, "safeDateFormat(%q)", tc.granularity)
|
|
})
|
|
}
|
|
}
|