yangjianbo
d7011163b8
安全修复(P0): - 移除硬编码的 OAuth client_secret(Antigravity、Gemini CLI), 改为通过环境变量注入(ANTIGRAVITY_OAUTH_CLIENT_SECRET、 GEMINI_CLI_OAUTH_CLIENT_SECRET) - 新增 logredact.RedactText() 对非结构化文本做敏感信息脱敏, 覆盖 GOCSPX-*/AIza* 令牌和常见 key=value 模式 - 日志中不再打印 org_uuid、account_uuid、email_address 等敏感值 安全修复(P1): - URL 验证增强:新增 ValidateHTTPURL 统一入口,支持 allowlist 和 私网地址阻断(localhost/内网 IP) - 代理回退安全:代理初始化失败时默认阻止直连回退,防止 IP 泄露, 可通过 security.proxy_fallback.allow_direct_on_error 显式开启 - Gemini OAuth 配置校验:client_id 与 client_secret 必须同时 设置或同时留空 其他改进: - 新增 tools/secret_scan.py 密钥扫描工具和 Makefile secret-scan 目标 - 更新所有 docker-compose 和部署配置,传递 OAuth secret 环境变量 - google_one OAuth 类型使用固定 redirectURI,与 code_assist 对齐 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
163 lines
4.5 KiB
Go
163 lines
4.5 KiB
Go
package repository
|
|
|
|
import (
|
|
"context"
|
|
"encoding/json"
|
|
"fmt"
|
|
"io"
|
|
"net/http"
|
|
"os"
|
|
"time"
|
|
|
|
"github.com/Wei-Shaw/sub2api/internal/pkg/httpclient"
|
|
"github.com/Wei-Shaw/sub2api/internal/service"
|
|
)
|
|
|
|
type githubReleaseClient struct {
|
|
httpClient *http.Client
|
|
downloadHTTPClient *http.Client
|
|
}
|
|
|
|
type githubReleaseClientError struct {
|
|
err error
|
|
}
|
|
|
|
// NewGitHubReleaseClient 创建 GitHub Release 客户端
|
|
// proxyURL 为空时直连 GitHub,支持 http/https/socks5/socks5h 协议
|
|
func NewGitHubReleaseClient(proxyURL string, allowDirectOnProxyError bool) service.GitHubReleaseClient {
|
|
sharedClient, err := httpclient.GetClient(httpclient.Options{
|
|
Timeout: 30 * time.Second,
|
|
ProxyURL: proxyURL,
|
|
})
|
|
if err != nil {
|
|
if proxyURL != "" && !allowDirectOnProxyError {
|
|
return &githubReleaseClientError{err: fmt.Errorf("proxy client init failed and direct fallback is disabled; set security.proxy_fallback.allow_direct_on_error=true to allow fallback: %w", err)}
|
|
}
|
|
sharedClient = &http.Client{Timeout: 30 * time.Second}
|
|
}
|
|
|
|
// 下载客户端需要更长的超时时间
|
|
downloadClient, err := httpclient.GetClient(httpclient.Options{
|
|
Timeout: 10 * time.Minute,
|
|
ProxyURL: proxyURL,
|
|
})
|
|
if err != nil {
|
|
if proxyURL != "" && !allowDirectOnProxyError {
|
|
return &githubReleaseClientError{err: fmt.Errorf("proxy client init failed and direct fallback is disabled; set security.proxy_fallback.allow_direct_on_error=true to allow fallback: %w", err)}
|
|
}
|
|
downloadClient = &http.Client{Timeout: 10 * time.Minute}
|
|
}
|
|
|
|
return &githubReleaseClient{
|
|
httpClient: sharedClient,
|
|
downloadHTTPClient: downloadClient,
|
|
}
|
|
}
|
|
|
|
func (c *githubReleaseClientError) FetchLatestRelease(ctx context.Context, repo string) (*service.GitHubRelease, error) {
|
|
return nil, c.err
|
|
}
|
|
|
|
func (c *githubReleaseClientError) DownloadFile(ctx context.Context, url, dest string, maxSize int64) error {
|
|
return c.err
|
|
}
|
|
|
|
func (c *githubReleaseClientError) FetchChecksumFile(ctx context.Context, url string) ([]byte, error) {
|
|
return nil, c.err
|
|
}
|
|
|
|
func (c *githubReleaseClient) FetchLatestRelease(ctx context.Context, repo string) (*service.GitHubRelease, error) {
|
|
url := fmt.Sprintf("https://api.github.com/repos/%s/releases/latest", repo)
|
|
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
req.Header.Set("Accept", "application/vnd.github.v3+json")
|
|
req.Header.Set("User-Agent", "Sub2API-Updater")
|
|
|
|
resp, err := c.httpClient.Do(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer func() { _ = resp.Body.Close() }()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
return nil, fmt.Errorf("GitHub API returned %d", resp.StatusCode)
|
|
}
|
|
|
|
var release service.GitHubRelease
|
|
if err := json.NewDecoder(resp.Body).Decode(&release); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return &release, nil
|
|
}
|
|
|
|
func (c *githubReleaseClient) DownloadFile(ctx context.Context, url, dest string, maxSize int64) error {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// 使用预配置的下载客户端(已包含代理配置)
|
|
resp, err := c.downloadHTTPClient.Do(req)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
defer func() { _ = resp.Body.Close() }()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
return fmt.Errorf("download returned %d", resp.StatusCode)
|
|
}
|
|
|
|
// SECURITY: Check Content-Length if available
|
|
if resp.ContentLength > maxSize {
|
|
return fmt.Errorf("file too large: %d bytes (max %d)", resp.ContentLength, maxSize)
|
|
}
|
|
|
|
out, err := os.Create(dest)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
// SECURITY: Use LimitReader to enforce max download size even if Content-Length is missing/wrong
|
|
limited := io.LimitReader(resp.Body, maxSize+1)
|
|
written, err := io.Copy(out, limited)
|
|
|
|
// Close file before attempting to remove (required on Windows)
|
|
_ = out.Close()
|
|
|
|
if err != nil {
|
|
_ = os.Remove(dest) // Clean up partial file (best-effort)
|
|
return err
|
|
}
|
|
|
|
// Check if we hit the limit (downloaded more than maxSize)
|
|
if written > maxSize {
|
|
_ = os.Remove(dest) // Clean up partial file (best-effort)
|
|
return fmt.Errorf("download exceeded maximum size of %d bytes", maxSize)
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func (c *githubReleaseClient) FetchChecksumFile(ctx context.Context, url string) ([]byte, error) {
|
|
req, err := http.NewRequestWithContext(ctx, http.MethodGet, url, nil)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
resp, err := c.httpClient.Do(req)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
defer func() { _ = resp.Body.Close() }()
|
|
|
|
if resp.StatusCode != http.StatusOK {
|
|
return nil, fmt.Errorf("HTTP %d", resp.StatusCode)
|
|
}
|
|
|
|
return io.ReadAll(resp.Body)
|
|
}
|