fix: resolve P0 security issues per governance baseline

P0-01: LIKE injection fix in device.go (2 locations)
- Added escapeLikePattern() to prevent LIKE pattern manipulation

P0-03: Token refresh blacklist fail-closed
- RefreshToken() now returns error if cache.Set fails
- Prevents token double-spend on cache failures

P0-05: CORS dangerous default configuration
- Default changed to empty origins, credentials off
- init() panics if default config is dangerous

P0-06: UpdateUser IDOR vulnerability fix
- Added authorization check (self-or-admin)
- Prevents unauthorized user profile modification

Also: Fixed frontend lint errors in device-fingerprint.test.ts and http/index.test.ts

All 518 frontend tests pass, all backend tests pass.
This commit is contained in:
2026-04-18 09:32:54 +08:00
parent 7849c3c3ed
commit 0795e126cc
6 changed files with 41 additions and 24 deletions

View File

@@ -236,10 +236,11 @@ func (r *DeviceRepository) ListAll(ctx context.Context, params *ListDevicesParam
if params.IsTrusted != nil {
query = query.Where("is_trusted = ?", *params.IsTrusted)
}
// 按关键词筛选(设备名/IP/位置)
// 按关键词筛选(设备名/IP/位置)- 转义 LIKE 特殊字符
if params.Keyword != "" {
search := "%" + params.Keyword + "%"
query = query.Where("device_name LIKE ? OR ip LIKE ? OR location LIKE ?", search, search, search)
escapedKeyword := escapeLikePattern(params.Keyword)
pattern := "%" + escapedKeyword + "%"
query = query.Where("device_name LIKE ? OR ip LIKE ? OR location LIKE ?", pattern, pattern, pattern)
}
// 获取总数