fix: resolve P0 security issues per governance baseline
P0-01: LIKE injection fix in device.go (2 locations) - Added escapeLikePattern() to prevent LIKE pattern manipulation P0-03: Token refresh blacklist fail-closed - RefreshToken() now returns error if cache.Set fails - Prevents token double-spend on cache failures P0-05: CORS dangerous default configuration - Default changed to empty origins, credentials off - init() panics if default config is dangerous P0-06: UpdateUser IDOR vulnerability fix - Added authorization check (self-or-admin) - Prevents unauthorized user profile modification Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts All 518 frontend tests pass, all backend tests pass.
This commit is contained in:
@@ -236,10 +236,11 @@ func (r *DeviceRepository) ListAll(ctx context.Context, params *ListDevicesParam
|
||||
if params.IsTrusted != nil {
|
||||
query = query.Where("is_trusted = ?", *params.IsTrusted)
|
||||
}
|
||||
// 按关键词筛选(设备名/IP/位置)
|
||||
// 按关键词筛选(设备名/IP/位置)- 转义 LIKE 特殊字符
|
||||
if params.Keyword != "" {
|
||||
search := "%" + params.Keyword + "%"
|
||||
query = query.Where("device_name LIKE ? OR ip LIKE ? OR location LIKE ?", search, search, search)
|
||||
escapedKeyword := escapeLikePattern(params.Keyword)
|
||||
pattern := "%" + escapedKeyword + "%"
|
||||
query = query.Where("device_name LIKE ? OR ip LIKE ? OR location LIKE ?", pattern, pattern, pattern)
|
||||
}
|
||||
|
||||
// 获取总数
|
||||
|
||||
Reference in New Issue
Block a user