v1.7版本更新

backend/utils/security.py

@@ -12,6 +12,7 @@
 import hashlib
 import secrets
 import re
+from passlib.hash import bcrypt as bcrypt_hash
 from config import settings
 
 
@@ -32,6 +33,27 @@ class SecurityUtils:
         md5_hash = hashlib.md5(salted.encode('utf-8')).hexdigest()
         return md5_hash
     
+    @staticmethod
+    def bcrypt_password(password: str) -> str:
+        """使用bcrypt加密密码"""
+        return bcrypt_hash.using(rounds=12).hash(password)
+    
+    @staticmethod
+    def verify_password_v2(plain_password: str, hashed_password: str) -> tuple:
+        """
+        验证密码（支持bcrypt和旧哈希）
+        返回: (是否验证成功, 是否需要升级哈希)
+        """
+        try:
+            if bcrypt_hash.verify(plain_password, hashed_password):
+                return True, False
+        except Exception:
+            pass
+        # 回退到旧的sha1_md5验证
+        if SecurityUtils.sha1_md5_password(plain_password) == hashed_password:
+            return True, True
+        return False, False
+    
     @staticmethod
     def verify_password(plain_password: str, hashed_password: str) -> bool:
         """验证密码"""
@@ -83,6 +105,21 @@ class SecurityUtils:
         # 去除首尾空格
         value = value.strip()
         
+        # SQL注入模式检测
+        sql_patterns = [
+            r'(?i)(\bunion\b\s+\bselect\b)',
+            r'(?i)(\bor\b\s+\d+\s*=\s*\d+)',
+            r'(?i)(\bdrop\b\s+\btable\b)',
+            r'(?i)(\bdelete\b\s+\bfrom\b)',
+            r'(?i)(\binsert\b\s+\binto\b)',
+            r'(?i)(\bupdate\b\s+\w+\s+\bset\b)',
+        ]
+        for pattern in sql_patterns:
+            value = re.sub(pattern, '', value)
+        
+        # 路径遍历检测
+        value = value.replace('../', '').replace('..\\', '')
+        
         # 限制长度
         if len(value) > max_length:
             value = value[:max_length]