fix(security): 修复 P0 安全漏洞 (Session越权+CORS白名单+用户名枚举)

2026-05-21 16:12:54 +08:00
parent 702d4ee1fe
commit 380cc24913
7 changed files with 161 additions and 15 deletions
@@ -3,6 +3,7 @@ package config
 import (
 	"fmt"
 	"os"
+	"strings"
 	"time"

 	"github.com/golang-jwt/jwt/v5"
@@ -69,6 +70,9 @@ type Config struct {
 	// Internal Service Token (内部服务间认证)
 	InternalServiceToken string

+	// CORS 允许的 Origin 白名单
+	AllowedOrigins []string
+
 	// 每日简报时间 (HH:MM 格式)
 	BriefingTime string
 }
@@ -114,12 +118,14 @@ func Load() *Config {
 		LLMAPIKey: getEnv("LLM_API_KEY", ""),
 		LLMModel:  getEnv("LLM_MODEL", "gpt-4o"),

-		WSMaxConnections:     getEnvInt("WS_MAX_CONNECTIONS", 1000),
+		WSMaxConnections:      getEnvInt("WS_MAX_CONNECTIONS", 1000),
 		SessionIdleTimeoutMin: getEnvInt("SESSION_IDLE_TIMEOUT_MIN", 30),

 		WebhookAPIKey:        getEnv("WEBHOOK_API_KEY", ""),
 		InternalServiceToken: getEnv("INTERNAL_SERVICE_TOKEN", "cyrene-internal-token-change-me"),

+		AllowedOrigins: parseAllowedOrigins(getEnv("ALLOWED_ORIGINS", "http://localhost:5173,http://localhost:5199,http://localhost:3000")),
+
 		BriefingTime: getEnv("BRIEFING_TIME", "08:00"),
 	}
 }
@@ -195,3 +201,19 @@ func getEnvBool(key string, fallback bool) bool {
 	}
 	return v == "true" || v == "1" || v == "yes"
 }
+
+// parseAllowedOrigins 解析逗号分隔的 origins 字符串为切片
+func parseAllowedOrigins(s string) []string {
+	if s == "" {
+		return []string{}
+	}
+	parts := strings.Split(s, ",")
+	result := make([]string, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p != "" {
+			result = append(result, p)
+		}
+	}
+	return result
+}