fix: round 10 critical fixes - WebSocket race, rate limiting, XSS protection, Caddyfile, and input validation

2026-05-20 17:59:22 +08:00
parent a5b5713b29
commit 20cdcc748e
10 changed files with 336 additions and 25 deletions
@@ -1,6 +1,7 @@
 package handler

 import (
+	"html"
 	"log"
 	"net/http"
 	"os"
@@ -77,8 +78,8 @@ func (h *KnowledgeHandler) CreateKB(c *gin.Context) {
 	kb := &store.KnowledgeBase{
 		ID:          store.GenerateUUID(),
 		UserID:      userID,
-		Name:        req.Name,
-		Description: req.Description,
+		Name:        html.EscapeString(req.Name),
+		Description: html.EscapeString(req.Description),
 	}

 	if err := h.store.CreateKB(kb); err != nil {
@@ -175,7 +176,7 @@ func (h *KnowledgeHandler) UpdateKB(c *gin.Context) {
 		return
 	}

-	if err := h.store.UpdateKB(kbID, req.Name, req.Description); err != nil {
+	if err := h.store.UpdateKB(kbID, html.EscapeString(req.Name), html.EscapeString(req.Description)); err != nil {
 		log.Printf("[KnowledgeHandler] 更新知识库失败: %v", err)
 		c.JSON(http.StatusInternalServerError, gin.H{"error": "更新知识库失败", "errorType": "db_error"})
 		return
@@ -315,8 +316,8 @@ func (h *KnowledgeHandler) AddDocument(c *gin.Context) {
 		ID:          store.GenerateUUID(),
 		KBID:        kbID,
 		UserID:      userID,
-		Title:       req.Title,
-		SourceType:  req.SourceType,
+		Title:       html.EscapeString(req.Title),
+		SourceType:  html.EscapeString(req.SourceType),
 		SourceRef:   sourceRef,
 		ContentType: contentType,
 		RawContent:  content,