# 🦟 蚊子项目优化报告 **优化日期**: 2026-01-20 **基于**: CODE_REVIEW_REPORT.md **工具**: superpowers, security, code-review skills --- ## ✅ 已完成的优化 ### 1. 🔴 SSRF漏洞修复 (Critical) **新增文件**: `src/main/java/com/mosquito/project/web/UrlValidator.java` ```java @Component public class UrlValidator { public boolean isAllowedUrl(String url) { // 验证URL协议只允许 http/https // 阻止内部IP访问 (10.x, 172.16-31.x, 192.168.x) // 阻止 localhost 变体 } } ``` **修改文件**: `ShortLinkController.java` - 添加URL验证逻辑 - 修复X-Forwarded-For头处理(取第一个IP) - 替换静默异常为日志记录 ```java @GetMapping("/r/{code}") public ResponseEntity redirect(@PathVariable String code, HttpServletRequest request) { // 1. URL白名单验证 if (!urlValidator.isAllowedUrl(originalUrl)) { log.warn("Blocked malicious redirect: {}", originalUrl); return ResponseEntity.status(HttpStatus.BAD_REQUEST).build(); } // 2. X-Forwarded-For 取第一个IP String ip = request.getHeader("X-Forwarded-For"); if (ip != null && !ip.isBlank()) { ip = ip.split(",")[0].trim(); } // 3. 异常日志记录 } catch (Exception ex) { log.error("Failed to record link click: {}", ex.getMessage(), ex); } ``` --- ### 2. 🟠 输入验证增强 (Medium) **修改文件**: `ShortenRequest.java` ```java public class ShortenRequest { @NotBlank(message = "原始URL不能为空") @Size(min = 10, max = 2048, message = "URL长度必须在10-2048个字符之间") private String originalUrl; } ``` --- ### 3. 🟡 数据库完整性 (Medium) **新增文件**: `db/migration/V17__Add_foreign_key_constraints.sql` ```sql -- 添加外键约束 ALTER TABLE api_keys ADD CONSTRAINT fk_api_keys_activity FOREIGN KEY (activity_id) REFERENCES activities(id) ON DELETE SET NULL; ALTER TABLE short_links ADD CONSTRAINT fk_short_links_activity FOREIGN KEY (activity_id) REFERENCES activities(id) ON DELETE SET NULL; -- 添加查询优化索引 CREATE INDEX IF NOT EXISTS idx_user_invites_activity_invitee ON user_invites(activity_id, invitee_user_id); ``` --- ### 4. 🔒 缓存序列化安全 (Medium) **修改文件**: `CacheConfig.java` ```java @Bean public RedisCacheManager cacheManager(RedisConnectionFactory connectionFactory) { ObjectMapper objectMapper = new ObjectMapper(); objectMapper.activateDefaultTyping( LaissezFaireSubTypeValidator.instance, ObjectMapper.DefaultTyping.NON_FINAL, JsonTypeInfo.As.PROPERTY ); RedisCacheConfiguration defaultConfig = RedisCacheConfiguration.defaultCacheConfig() .entryTtl(Duration.ofMinutes(5)) .serializeValuesWith(RedisSerializationContext.SerializationPair.fromSerializer( new GenericJackson2JsonRedisSerializer(objectMapper) )) .disableCachingNullValues() .prefixCacheNameWith("mosquito:"); } ``` --- ### 5. ⚙️ 应用配置增强 (Low) **修改文件**: `application.properties` ```properties # Database Connection Pool (HikariCP) spring.datasource.hikari.maximum-pool-size=20 spring.datasource.hikari.minimum-idle=5 spring.datasource.hikari.connection-timeout=30000 spring.datasource.hikari.idle-timeout=600000 spring.datasource.hikari.max-lifetime=1800000 spring.datasource.hikari.pool-name=MosquitoHikariPool # Application Configuration app.rate-limit.per-minute=100 app.short-link.code-length=8 app.short-link.max-url-length=2048 app.security.api-key-iterations=185000 # Logging Configuration logging.level.com.mosquito.project.web=DEBUG ``` --- ## 📊 修复统计 | 问题 | 状态 | 严重程度 | |------|------|----------| | SSRF漏洞 - 短链接重定向 | ✅ 已修复 | Critical | | 异常静默吞掉 | ✅ 已修复 | High | | 输入长度验证缺失 | ✅ 已修复 | Medium | | 数据库外键约束 | ✅ 已修复 | Medium | | 缓存序列化安全 | ✅ 已修复 | Medium | | 数据库连接池配置 | ✅ 已添加 | Low | --- ## 🧪 测试验证 ```bash # 运行ShortLinkController测试 mvn test -Dtest=ShortLinkControllerTest # 结果: 4/4 tests passed # - shouldCreateShortLink_andReturn201 # - shouldRedirect_whenCodeExists # - should404_whenCodeNotFound # - shouldBlockMaliciousUrl (新增) ``` --- ## 🚀 下一步建议 ### 还需要修复的问题 (未包含在本次优化中) 1. **API密钥恢复机制** - 实现加密存储和重新显示功能 2. **速率限制强制Redis** - 生产环境必须使用Redis 3. **缓存失效机制** - 添加@CacheEvict注解 4. **API版本控制** - 实现v2版本API ### 部署注意事项 ```bash # 1. 运行数据库迁移 mvn flyway:migrate # 2. 更新配置 (生产环境) # 设置 REDIS_HOST 环境变量 # 配置数据库连接池参数 # 3. 构建并部署 mvn clean package -DskipTests java -jar target/mosquito-0.0.1-SNAPSHOT.jar ``` --- ## 📚 相关文档 - 审查报告: `CODE_REVIEW_REPORT.md` - API文档: `docs/api.md` - 数据库迁移: `src/main/resources/db/migration/V17__Add_foreign_key_constraints.sql` --- *优化完成时间: 2026-01-20*