fix(security): 修复 P0 安全漏洞 (Session越权+CORS白名单+用户名枚举)

2026-05-21 16:12:54 +08:00
parent 702d4ee1fe
commit 380cc24913
7 changed files with 161 additions and 15 deletions
@@ -6,17 +6,30 @@ import (
 	"github.com/gin-gonic/gin"
 )

-// CORS 跨域中间件 (含安全头)
-func CORS() gin.HandlerFunc {
+// CORS 跨域中间件 (含安全头) — 白名单模式
+func CORS(allowedOrigins []string) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		origin := c.Request.Header.Get("Origin")
-		if origin == "" {
-			origin = "*"
+
+		// 白名单校验
+		allowed := false
+		if origin != "" {
+			for _, o := range allowedOrigins {
+				if o == origin {
+					allowed = true
+					break
+				}
+			}
 		}
-		c.Header("Access-Control-Allow-Origin", origin)
+
+		// 仅对白名单中的 origin 设置 CORS 头
+		if allowed {
+			c.Header("Access-Control-Allow-Origin", origin)
+			c.Header("Access-Control-Allow-Credentials", "true")
+		}
+
 		c.Header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH, OPTIONS")
 		c.Header("Access-Control-Allow-Headers", "Origin, Content-Type, Authorization, X-Request-ID")
-		c.Header("Access-Control-Allow-Credentials", "true")
 		c.Header("Access-Control-Max-Age", "86400")

 		// 安全头