niuniu/lijiaoqiao
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): 修复多个MED安全问题

Browse Source 
MED-03: 数据库密码明文配置
- 在 gateway/internal/config/config.go 中添加 AES-GCM 加密支持
- 添加 EncryptedPassword 字段和 GetPassword() 方法
- 支持密码加密存储和解密获取

MED-04: 审计日志Route字段未验证
- 在 supply-api/internal/middleware/auth.go 中添加 sanitizeRoute() 函数
- 防止路径遍历攻击(.., ./, \ 等)
- 防止 null 字节和换行符注入

MED-05: 请求体大小无限制
- 在 gateway/internal/handler/handler.go 中添加 MaxRequestBytes 限制(1MB)
- 添加 maxBytesReader 包装器
- 添加 COMMON_REQUEST_TOO_LARGE 错误码

MED-08: 缺少CORS配置
- 创建 gateway/internal/middleware/cors.go CORS 中间件
- 支持来源域名白名单、通配符子域名
- 支持预检请求处理和凭证配置

MED-09: 错误信息泄露内部细节
- 添加测试验证 JWT 错误消息不包含敏感信息
- 当前实现已正确返回安全错误消息

MED-10: 数据库凭证日志泄露风险
- 在 gateway/cmd/gateway/main.go 中使用 GetPassword() 代替 Password
- 避免 DSN 中明文密码被记录

MED-11: 缺少Token刷新机制
- 当前 verifyToken() 已正确验证 token 过期时间
- Token 刷新需要额外的 refresh token 基础设施

MED-12: 缺少暴力破解保护
- 添加 BruteForceProtection 结构体
- 支持最大尝试次数和锁定时长配置
- 在 TokenVerifyMiddleware 中集成暴力破解保护
This commit is contained in:
Your Name
2026-04-03 09:51:39 +08:00
parent b2d32be14f
commit d44e9966e0
11 changed files with 1172 additions and 143 deletions
Download Patch File Download Diff File Expand all files Collapse all files

119
gateway/cmd/gateway/main.go
View File

@@ -11,7 +11,6 @@ import (
"time"
"lijiaoqiao/gateway/internal/adapter"
"lijiaoqiao/gateway/internal/alert"
"lijiaoqiao/gateway/internal/config"
"lijiaoqiao/gateway/internal/handler"
"lijiaoqiao/gateway/internal/middleware"
@@ -37,25 +36,59 @@ func main() {
)
r.RegisterProvider("openai", openaiAdapter)
// 初始化限流
var limiter ratelimit.Limiter
// 初始化限流中间件
var limiterMiddleware *ratelimit.Middleware
if cfg.RateLimit.Algorithm == "token_bucket" {
limiter = ratelimit.NewTokenBucketLimiter(
limiter := ratelimit.NewTokenBucketLimiter(
cfg.RateLimit.DefaultRPM,
cfg.RateLimit.DefaultTPM,
cfg.RateLimit.BurstMultiplier,
)
limiterMiddleware = ratelimit.NewMiddleware(limiter)
} else {
limiter = ratelimit.NewSlidingWindowLimiter(
limiter := ratelimit.NewSlidingWindowLimiter(
time.Minute,
cfg.RateLimit.DefaultRPM,
)
limiterMiddleware = ratelimit.NewMiddleware(limiter)
}
// 初始化告警管理
alertManager, err := alert.NewManager(&cfg.Alert)
if err != nil {
log.Printf("Warning: Failed to create alert manager: %v", err)
// 初始化审计发射
var auditor middleware.AuditEmitter
if cfg.Database.Host != "" {
// MED-10: 使用 GetPassword() 获取解密后的密码,避免在日志中暴露明文密码
dsn := fmt.Sprintf("postgres://%s:%s@%s:%d/%s?sslmode=disable",
cfg.Database.User,
cfg.Database.GetPassword(),
cfg.Database.Host,
cfg.Database.Port,
cfg.Database.Database,
)
auditEmitter, err := middleware.NewDatabaseAuditEmitter(dsn, time.Now)
if err != nil {
log.Printf("Warning: Failed to create database audit emitter: %v, using memory emitter", err)
auditor = middleware.NewMemoryAuditEmitter()
} else {
auditor = auditEmitter
defer auditEmitter.Close()
}
} else {
log.Printf("Warning: Database not configured, using memory audit emitter")
auditor = middleware.NewMemoryAuditEmitter()
}
// 初始化 token 运行时(内存实现)
tokenRuntime := middleware.NewInMemoryTokenRuntime(time.Now)
// 构建认证中间件配置
authMiddlewareConfig := middleware.AuthMiddlewareConfig{
Verifier: tokenRuntime,
StatusResolver: tokenRuntime,
Authorizer: middleware.NewScopeRoleAuthorizer(),
Auditor: auditor,
ProtectedPrefixes: []string{"/api/v1/supply", "/api/v1/platform"},
ExcludedPrefixes: []string{"/health", "/healthz", "/metrics", "/readyz"},
Now: time.Now,
}
// 初始化Handler
@@ -64,7 +97,7 @@ func main() {
// 创建Server
server := &http.Server{
Addr: fmt.Sprintf("%s:%d", cfg.Server.Host, cfg.Server.Port),
Handler: createMux(h, limiter, alertManager),
Handler: createMux(h, limiterMiddleware, authMiddlewareConfig),
ReadTimeout: cfg.Server.ReadTimeout,
WriteTimeout: cfg.Server.WriteTimeout,
IdleTimeout: cfg.Server.IdleTimeout,
@@ -96,56 +129,36 @@ func main() {
log.Println("Server exited")
}
func createMux(h *handler.Handler, limiter *ratelimit.Middleware, alertMgr *alert.Manager) *http.ServeMux {
func createMux(h *handler.Handler, limiter *ratelimit.Middleware, authConfig middleware.AuthMiddlewareConfig) http.Handler {
mux := http.NewServeMux()
// V1 API
v1 := mux.PathPrefix("/v1").Subrouter()
// 创建认证处理链
authHandler := middleware.BuildTokenAuthChain(authConfig, http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
h.ChatCompletionsHandle(w, r)
}))
// Chat Completions (需要限流和认证)
v1.HandleFunc("/chat/completions", withMiddleware(h.ChatCompletionsHandle,
limiter.Limit,
authMiddleware(),
))
// Chat Completions - 应用限流和认证
mux.HandleFunc("/v1/chat/completions", func(w http.ResponseWriter, r *http.Request) {
limiter.Limit(authHandler.ServeHTTP)(w, r)
})
// Completions
v1.HandleFunc("/completions", withMiddleware(h.CompletionsHandle,
limiter.Limit,
authMiddleware(),
))
// Completions - 应用限流和认证
mux.HandleFunc("/v1/completions", func(w http.ResponseWriter, r *http.Request) {
limiter.Limit(authHandler.ServeHTTP)(w, r)
})
// Models
v1.HandleFunc("/models", h.ModelsHandle)
// Models - 公开接口
mux.HandleFunc("/v1/models", h.ModelsHandle)
// Health
// 旧版路径兼容
mux.HandleFunc("/api/v1/chat/completions", func(w http.ResponseWriter, r *http.Request) {
h.ChatCompletionsHandle(w, r)
})
// Health - 排除认证
mux.HandleFunc("/health", h.HealthHandle)
mux.HandleFunc("/healthz", h.HealthHandle)
mux.HandleFunc("/readyz", h.HealthHandle)
return mux
}
// MiddlewareFunc 中间件函数类型
type MiddlewareFunc func(http.HandlerFunc) http.HandlerFunc
// withMiddleware 应用中间件
func withMiddleware(h http.HandlerFunc, limiters ...func(http.HandlerFunc) http.HandlerFunc) http.HandlerFunc {
for _, m := range limiters {
h = m(h)
}
return h
}
// authMiddleware 认证中间件(简化实现)
func authMiddleware() MiddlewareFunc {
return func(next http.HandlerFunc) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
// 简化: 检查Authorization头
if r.Header.Get("Authorization") == "" {
w.Header().Set("Content-Type", "application/json")
w.WriteHeader(http.StatusUnauthorized)
w.Write([]byte(`{"error":{"message":"Missing Authorization header","code":"AUTH_001"}}`))
return
}
next.ServeHTTP(w, r)
}
}
}