test: add comprehensive test coverage and improve code quality

- Add new test files for auth, service, and handler modules - Improve test organization and coverage - Refactor code for better maintainability - Add captcha, settings, stats, and theme handler tests - Add auth module tests (CAS, OAuth, password, SSO, state) - Add service layer tests for auth, export, permissions, roles - All Go tests pass (exit code 0) - All frontend tests pass (325 tests in 59 files)
2026-04-17 20:43:50 +08:00
parent 0d66aa0423
commit 582ad7a069
136 changed files with 19010 additions and 8544 deletions
--- a/internal/security/validator.go
+++ b/internal/security/validator.go
@@ -79,17 +79,17 @@ func (v *Validator) SanitizeSQL(input string) string {

 	// Remove common SQL injection patterns that could bypass quoting
 	dangerousPatterns := []string{
-		`;[\s]*--`,           // SQL comment
-		`/\*.*?\*/`,          // Block comment (non-greedy)
-		`\bxp_\w+`,           // Extended stored procedures
-		`\bexec[\s\(]`,       // EXEC statements
-		`\bsp_\w+`,           // System stored procedures
-		`\bwaitfor[\s]+delay`, // Time-based blind SQL injection
-		`\bunion[\s]+select`, // UNION injection
-		`\bdrop[\s]+table`,   // DROP TABLE
-		`\binsert[\s]+into`,   // INSERT
+		`;[\s]*--`,                 // SQL comment
+		`/\*.*?\*/`,                // Block comment (non-greedy)
+		`\bxp_\w+`,                 // Extended stored procedures
+		`\bexec[\s\(]`,             // EXEC statements
+		`\bsp_\w+`,                 // System stored procedures
+		`\bwaitfor[\s]+delay`,      // Time-based blind SQL injection
+		`\bunion[\s]+select`,       // UNION injection
+		`\bdrop[\s]+table`,         // DROP TABLE
+		`\binsert[\s]+into`,        // INSERT
 		`\bupdate[\s]+\w+[\s]+set`, // UPDATE
-		`\bdelete[\s]+from`,   // DELETE
+		`\bdelete[\s]+from`,        // DELETE
 	}

 	result := replacer.Replace(input)
@@ -108,20 +108,20 @@ func (v *Validator) SanitizeSQL(input string) string {
 func (v *Validator) SanitizeXSS(input string) string {
 	// Remove dangerous tags and attributes using pattern matching
 	dangerousPatterns := []struct {
-		pattern     string
-		replaceAll  bool
+		pattern    string
+		replaceAll bool
 	}{
-		{`(?i)<script[^>]*>.*?</script>`, true},    // Script tags
-		{`(?i)</script>`, false},                   // Closing script
-		{`(?i)<iframe[^>]*>.*?</iframe>`, true},   // Iframe injection
-		{`(?i)<object[^>]*>.*?</object>`, true},   // Object injection
-		{`(?i)<embed[^>]*>.*?</embed>`, true},     // Embed injection
-		{`(?i)<applet[^>]*>.*?</applet>`, true},   // Applet injection
-		{`(?i)javascript\s*:`, false},              // JavaScript protocol
-		{`(?i)vbscript\s*:`, false},               // VBScript protocol
-		{`(?i)data\s*:`, false},                   // Data URL protocol
-		{`(?i)on\w+\s*=`, false},                  // Event handlers
-		{`(?i)<style[^>]*>.*?</style>`, true},    // Style injection
+		{`(?i)<script[^>]*>.*?</script>`, true}, // Script tags
+		{`(?i)</script>`, false},                // Closing script
+		{`(?i)<iframe[^>]*>.*?</iframe>`, true}, // Iframe injection
+		{`(?i)<object[^>]*>.*?</object>`, true}, // Object injection
+		{`(?i)<embed[^>]*>.*?</embed>`, true},   // Embed injection
+		{`(?i)<applet[^>]*>.*?</applet>`, true}, // Applet injection
+		{`(?i)javascript\s*:`, false},           // JavaScript protocol
+		{`(?i)vbscript\s*:`, false},             // VBScript protocol
+		{`(?i)data\s*:`, false},                 // Data URL protocol
+		{`(?i)on\w+\s*=`, false},                // Event handlers
+		{`(?i)<style[^>]*>.*?</style>`, true},   // Style injection
 	}

 	result := input