v1.7版本更新

2026-05-21 20:15:56 +08:00
parent 74a71ddaf5
commit cb0c367eb7
54 changed files with 2292 additions and 1785 deletions
--- a/backend/middleware/auth_middleware.py
+++ b/backend/middleware/auth_middleware.py
@@ -30,6 +30,7 @@ PUBLIC_PATHS = [
    r'^/health$',
    r'^/api/auth/login$',
    r'^/api/auth/logout$',
+    r'^/api/config/deduction-rules$',
 ]
 def is_public_path(path: str) -> bool:
    """检查是否为公开路径"""
--- a/backend/middleware/sanitize.py
+++ b/backend/middleware/sanitize.py
@@ -56,6 +56,21 @@ class SanitizeMiddleware(BaseHTTPMiddleware):
        # 去除首尾空格
        value = value.strip()
        
+        # SQL注入模式检测
+        sql_patterns = [
+            r'(?i)(\bunion\b\s+\bselect\b)',
+            r'(?i)(\bor\b\s+\d+\s*=\s*\d+)',
+            r'(?i)(\bdrop\b\s+\btable\b)',
+            r'(?i)(\bdelete\b\s+\bfrom\b)',
+            r'(?i)(\binsert\b\s+\binto\b)',
+            r'(?i)(\bupdate\b\s+\w+\s+\bset\b)',
+        ]
+        for pattern in sql_patterns:
+            value = re.sub(pattern, '', value)
+        
+        # 路径遍历检测
+        value = value.replace('../', '').replace('..\\', '')
+        
        # 限制长度
        if len(value) > 1000:
            value = value[:1000]
@@ -106,7 +121,9 @@ def validate_reason(reason: str) -> tuple:
    """
    if not reason or not reason.strip():
        return False, "原因不能为空"
-    if len(reason) > 255:
+    # 计算可见字符长度（不含换行符），支持多行输入
+    visible_length = len(reason.replace('\n', ''))
+    if visible_length > 255:
        return False, "原因长度不能超过255个字符"
    return True, ""