fix(security): /uploads 目录路径遍历防护
- 替换 Static 为受控文件服务 handler (serveUploads) - 添加 filepath.Clean 路径清理 + .. 检测 - 使用 Abs + HasPrefix 限制访问范围在上传目录内 - 添加安全响应头(CSP default-src 'none', X-Content-Type-Options nosniff)
This commit is contained in:
@@ -175,15 +175,16 @@ func TestDefaultOAuthManager_ValidateToken(t *testing.T) {
|
||||
|
||||
func TestDefaultOAuthManager_ValidateTokenWithProvider(t *testing.T) {
|
||||
m := NewOAuthManager()
|
||||
ctx := context.Background()
|
||||
|
||||
// Test empty token
|
||||
valid, err := m.ValidateTokenWithProvider(OAuthProviderGoogle, "")
|
||||
valid, err := m.ValidateTokenWithProvider(ctx, OAuthProviderGoogle, "")
|
||||
if valid || err != nil {
|
||||
t.Errorf("ValidateTokenWithProvider('') = %v, %v, want false, nil", valid, err)
|
||||
}
|
||||
|
||||
// Test non-existent provider
|
||||
valid, err = m.ValidateTokenWithProvider(OAuthProviderGoogle, "some-token")
|
||||
valid, err = m.ValidateTokenWithProvider(ctx, OAuthProviderGoogle, "some-token")
|
||||
if valid {
|
||||
t.Error("ValidateTokenWithProvider() should return false for unconfigured provider")
|
||||
}
|
||||
@@ -607,7 +608,7 @@ func TestOAuthManager_ValidateTokenWithProvider_WithConfig(t *testing.T) {
|
||||
})
|
||||
|
||||
// ValidateTokenWithProvider will try GetUserInfo which will fail
|
||||
valid, err := m.ValidateTokenWithProvider(OAuthProviderGoogle, "some-token")
|
||||
valid, err := m.ValidateTokenWithProvider(context.Background(), OAuthProviderGoogle, "some-token")
|
||||
// Should return false
|
||||
if valid {
|
||||
t.Error("ValidateTokenWithProvider() should return false for invalid token")
|
||||
|
||||
Reference in New Issue
Block a user