feat(安全): 强化安全策略与配置校验

- 增加 CORS/CSP/安全响应头与代理信任配置 - 引入 URL 白名单与私网开关，校验上游与价格源 - 改善 API Key 处理与网关错误返回 - 管理端设置隐藏敏感字段并优化前端提示 - 增加计费熔断与相关配置示例测试: go test ./...
2026-01-02 17:40:57 +08:00
parent 3fd9bd4a80
commit bd4bf00856
46 changed files with 1572 additions and 220 deletions
--- a/backend/internal/service/pricing_service.go
+++ b/backend/internal/service/pricing_service.go
@@ -16,6 +16,7 @@ import (

 	"github.com/Wei-Shaw/sub2api/internal/config"
 	"github.com/Wei-Shaw/sub2api/internal/pkg/openai"
+	"github.com/Wei-Shaw/sub2api/internal/util/urlvalidator"
 )

 var (
@@ -211,16 +212,35 @@ func (s *PricingService) syncWithRemote() error {

 // downloadPricingData 从远程下载价格数据
 func (s *PricingService) downloadPricingData() error {
-	log.Printf("[Pricing] Downloading from %s", s.cfg.Pricing.RemoteURL)
+	remoteURL, err := s.validatePricingURL(s.cfg.Pricing.RemoteURL)
+	if err != nil {
+		return err
+	}
+	log.Printf("[Pricing] Downloading from %s", remoteURL)

 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()

-	body, err := s.remoteClient.FetchPricingJSON(ctx, s.cfg.Pricing.RemoteURL)
+	var expectedHash string
+	if strings.TrimSpace(s.cfg.Pricing.HashURL) != "" {
+		expectedHash, err = s.fetchRemoteHash()
+		if err != nil {
+			return fmt.Errorf("fetch remote hash: %w", err)
+		}
+	}
+
+	body, err := s.remoteClient.FetchPricingJSON(ctx, remoteURL)
 	if err != nil {
 		return fmt.Errorf("download failed: %w", err)
 	}

+	if expectedHash != "" {
+		actualHash := sha256.Sum256(body)
+		if !strings.EqualFold(expectedHash, hex.EncodeToString(actualHash[:])) {
+			return fmt.Errorf("pricing hash mismatch")
+		}
+	}
+
 	// 解析JSON数据（使用灵活的解析方式）
 	data, err := s.parsePricingData(body)
 	if err != nil {
@@ -373,10 +393,31 @@ func (s *PricingService) useFallbackPricing() error {

 // fetchRemoteHash 从远程获取哈希值
 func (s *PricingService) fetchRemoteHash() (string, error) {
+	hashURL, err := s.validatePricingURL(s.cfg.Pricing.HashURL)
+	if err != nil {
+		return "", err
+	}
+
 	ctx, cancel := context.WithTimeout(context.Background(), 10*time.Second)
 	defer cancel()

-	return s.remoteClient.FetchHashText(ctx, s.cfg.Pricing.HashURL)
+	hash, err := s.remoteClient.FetchHashText(ctx, hashURL)
+	if err != nil {
+		return "", err
+	}
+	return strings.TrimSpace(hash), nil
+}
+
+func (s *PricingService) validatePricingURL(raw string) (string, error) {
+	normalized, err := urlvalidator.ValidateHTTPSURL(raw, urlvalidator.ValidationOptions{
+		AllowedHosts:     s.cfg.Security.URLAllowlist.PricingHosts,
+		RequireAllowlist: true,
+		AllowPrivate:     s.cfg.Security.URLAllowlist.AllowPrivateHosts,
+	})
+	if err != nil {
+		return "", fmt.Errorf("invalid pricing url: %w", err)
+	}
+	return normalized, nil
 }

 // computeFileHash 计算文件哈希