9634494ba9
P0: OpenAI SSE 错误消息 JSON 注入 — 使用 json.Marshal 替代 fmt.Sprintf P1: subscription 续期包裹 Ent 事务确保原子性 P1: CSP nonce 生成处理 crypto/rand 错误,失败降级为 unsafe-inline P1: singleflight 透传数据库真实错误,不再吞没为 not found P1: GetUserSubscriptionsWithProgress 提取 calculateProgress 消除 N+1 P2: billing_cache/gateway_helper 迁移到 math/rand/v2 消除全局锁争用 P2: generateRandomID 降级分支增加原子计数器防碰撞 P2: CORS 非白名单 origin 不再设置 Allow-Headers/Methods/Max-Age P2: Turnstile 验证移除 VerifyCode 空值跳过条件防绕过 P2: Redis Cluster Lua 脚本空 KEYS 添加兼容性警告注释 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
127 lines
4.0 KiB
Go
127 lines
4.0 KiB
Go
package middleware
|
|
|
|
import (
|
|
"crypto/rand"
|
|
"encoding/base64"
|
|
"fmt"
|
|
"log"
|
|
"strings"
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/config"
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
const (
|
|
// CSPNonceKey is the context key for storing the CSP nonce
|
|
CSPNonceKey = "csp_nonce"
|
|
// NonceTemplate is the placeholder in CSP policy for nonce
|
|
NonceTemplate = "__CSP_NONCE__"
|
|
// CloudflareInsightsDomain is the domain for Cloudflare Web Analytics
|
|
CloudflareInsightsDomain = "https://static.cloudflareinsights.com"
|
|
)
|
|
|
|
// GenerateNonce generates a cryptographically secure random nonce.
|
|
// 返回 error 以确保调用方在 crypto/rand 失败时能正确降级。
|
|
func GenerateNonce() (string, error) {
|
|
b := make([]byte, 16)
|
|
if _, err := rand.Read(b); err != nil {
|
|
return "", fmt.Errorf("generate CSP nonce: %w", err)
|
|
}
|
|
return base64.StdEncoding.EncodeToString(b), nil
|
|
}
|
|
|
|
// GetNonceFromContext retrieves the CSP nonce from gin context
|
|
func GetNonceFromContext(c *gin.Context) string {
|
|
if nonce, exists := c.Get(CSPNonceKey); exists {
|
|
if s, ok := nonce.(string); ok {
|
|
return s
|
|
}
|
|
}
|
|
return ""
|
|
}
|
|
|
|
// SecurityHeaders sets baseline security headers for all responses.
|
|
func SecurityHeaders(cfg config.CSPConfig) gin.HandlerFunc {
|
|
policy := strings.TrimSpace(cfg.Policy)
|
|
if policy == "" {
|
|
policy = config.DefaultCSPPolicy
|
|
}
|
|
|
|
// Enhance policy with required directives (nonce placeholder and Cloudflare Insights)
|
|
policy = enhanceCSPPolicy(policy)
|
|
|
|
return func(c *gin.Context) {
|
|
c.Header("X-Content-Type-Options", "nosniff")
|
|
c.Header("X-Frame-Options", "DENY")
|
|
c.Header("Referrer-Policy", "strict-origin-when-cross-origin")
|
|
|
|
if cfg.Enabled {
|
|
// Generate nonce for this request
|
|
nonce, err := GenerateNonce()
|
|
if err != nil {
|
|
// crypto/rand 失败时降级为无 nonce 的 CSP 策略
|
|
log.Printf("[SecurityHeaders] %v — 降级为无 nonce 的 CSP", err)
|
|
finalPolicy := strings.ReplaceAll(policy, NonceTemplate, "'unsafe-inline'")
|
|
c.Header("Content-Security-Policy", finalPolicy)
|
|
} else {
|
|
c.Set(CSPNonceKey, nonce)
|
|
finalPolicy := strings.ReplaceAll(policy, NonceTemplate, "'nonce-"+nonce+"'")
|
|
c.Header("Content-Security-Policy", finalPolicy)
|
|
}
|
|
}
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// enhanceCSPPolicy ensures the CSP policy includes nonce support and Cloudflare Insights domain.
|
|
// This allows the application to work correctly even if the config file has an older CSP policy.
|
|
func enhanceCSPPolicy(policy string) string {
|
|
// Add nonce placeholder to script-src if not present
|
|
if !strings.Contains(policy, NonceTemplate) && !strings.Contains(policy, "'nonce-") {
|
|
policy = addToDirective(policy, "script-src", NonceTemplate)
|
|
}
|
|
|
|
// Add Cloudflare Insights domain to script-src if not present
|
|
if !strings.Contains(policy, CloudflareInsightsDomain) {
|
|
policy = addToDirective(policy, "script-src", CloudflareInsightsDomain)
|
|
}
|
|
|
|
return policy
|
|
}
|
|
|
|
// addToDirective adds a value to a specific CSP directive.
|
|
// If the directive doesn't exist, it will be added after default-src.
|
|
func addToDirective(policy, directive, value string) string {
|
|
// Find the directive in the policy
|
|
directivePrefix := directive + " "
|
|
idx := strings.Index(policy, directivePrefix)
|
|
|
|
if idx == -1 {
|
|
// Directive not found, add it after default-src or at the beginning
|
|
defaultSrcIdx := strings.Index(policy, "default-src ")
|
|
if defaultSrcIdx != -1 {
|
|
// Find the end of default-src directive (next semicolon)
|
|
endIdx := strings.Index(policy[defaultSrcIdx:], ";")
|
|
if endIdx != -1 {
|
|
insertPos := defaultSrcIdx + endIdx + 1
|
|
// Insert new directive after default-src
|
|
return policy[:insertPos] + " " + directive + " 'self' " + value + ";" + policy[insertPos:]
|
|
}
|
|
}
|
|
// Fallback: prepend the directive
|
|
return directive + " 'self' " + value + "; " + policy
|
|
}
|
|
|
|
// Find the end of this directive (next semicolon or end of string)
|
|
endIdx := strings.Index(policy[idx:], ";")
|
|
|
|
if endIdx == -1 {
|
|
// No semicolon found, directive goes to end of string
|
|
return policy + " " + value
|
|
}
|
|
|
|
// Insert value before the semicolon
|
|
insertPos := idx + endIdx
|
|
return policy[:insertPos] + " " + value + policy[insertPos:]
|
|
}
|