fix(security): /uploads 目录路径遍历防护

- 替换 Static 为受控文件服务 handler (serveUploads)
- 添加 filepath.Clean 路径清理 + .. 检测
- 使用 Abs + HasPrefix 限制访问范围在上传目录内
- 添加安全响应头(CSP default-src 'none', X-Content-Type-Options nosniff)
This commit is contained in:
2026-05-08 12:28:03 +08:00
parent e49865df11
commit 61692e4c1a
4 changed files with 60 additions and 8 deletions

View File

@@ -175,15 +175,16 @@ func TestDefaultOAuthManager_ValidateToken(t *testing.T) {
func TestDefaultOAuthManager_ValidateTokenWithProvider(t *testing.T) {
m := NewOAuthManager()
ctx := context.Background()
// Test empty token
valid, err := m.ValidateTokenWithProvider(OAuthProviderGoogle, "")
valid, err := m.ValidateTokenWithProvider(ctx, OAuthProviderGoogle, "")
if valid || err != nil {
t.Errorf("ValidateTokenWithProvider('') = %v, %v, want false, nil", valid, err)
}
// Test non-existent provider
valid, err = m.ValidateTokenWithProvider(OAuthProviderGoogle, "some-token")
valid, err = m.ValidateTokenWithProvider(ctx, OAuthProviderGoogle, "some-token")
if valid {
t.Error("ValidateTokenWithProvider() should return false for unconfigured provider")
}
@@ -607,7 +608,7 @@ func TestOAuthManager_ValidateTokenWithProvider_WithConfig(t *testing.T) {
})
// ValidateTokenWithProvider will try GetUserInfo which will fail
valid, err := m.ValidateTokenWithProvider(OAuthProviderGoogle, "some-token")
valid, err := m.ValidateTokenWithProvider(context.Background(), OAuthProviderGoogle, "some-token")
// Should return false
if valid {
t.Error("ValidateTokenWithProvider() should return false for invalid token")