alai-dev/trade-assistant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: security and code quality improvements

Browse Source 
Security fixes:
- Add file upload size limits (10MB) for customer and product imports
- Add XLSX file validation with row limits and magic byte checking
- Implement password validation (min 6 chars) in registration
- Add rate limiting for guest login (5 per IP per 15 minutes)
- Sanitize error messages to prevent information leakage
- Fix XSS vulnerability by removing unsafe v-html usage
- Enforce WhatsApp webhook signature verification
- Add SSRF protection with URL validation and IP blocking
- Fix marketing endpoints to use proper authentication

Code quality improvements:
- Create shared utility functions for UUID validation and string sanitization
- Remove duplicate UUID validation code from admin modules
- Remove dead code (pass statement in translation.py)
- Fix aliyun SDK import compatibility
This commit is contained in:
TradeMate Dev
2026-06-11 17:54:07 +08:00
parent d2736d1ef6
commit 13e3992d4c
18 changed files with 272 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
admin-frontend/package-lock.json
Generated
+48
View File
@@ -18,6 +18,7 @@
},
"devDependencies": {
"@vitejs/plugin-vue": "^5.2.1",
"playwright": "^1.60.0",
"vite": "^6.0.7"
}
},
@@ -1706,6 +1707,53 @@
}
}
},
"node_modules/playwright": {
"version": "1.60.0",
"resolved": "https://registry.npmmirror.com/playwright/-/playwright-1.60.0.tgz",
"integrity": "sha512-hheHdokM8cdqCb0lcE3s+zT4t4W+vvjpGxsZlDnikarzx8tSzMebh3UiFtgqwFwnTnjYQcsyMF8ei2mCO/tpeA==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
"playwright-core": "1.60.0"
},
"bin": {
"playwright": "cli.js"
},
"engines": {
"node": ">=18"
},
"optionalDependencies": {
"fsevents": "2.3.2"
}
},
"node_modules/playwright-core": {
"version": "1.60.0",
"resolved": "https://registry.npmmirror.com/playwright-core/-/playwright-core-1.60.0.tgz",
"integrity": "sha512-9bW6zvX/m0lEbgTKJ6YppOKx8H3VOPBMOCFh2irXFOT4BbHgrx5hPjwJYLT40Lu+4qtD36qKc/Hn56StUW57IA==",
"dev": true,
"license": "Apache-2.0",
"bin": {
"playwright-core": "cli.js"
},
"engines": {
"node": ">=18"
}
},
"node_modules/playwright/node_modules/fsevents": {
"version": "2.3.2",
"resolved": "https://registry.npmmirror.com/fsevents/-/fsevents-2.3.2.tgz",
"integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
"dev": true,
"hasInstallScript": true,
"license": "MIT",
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
}
},
"node_modules/postcss": {
"version": "8.5.15",
"resolved": "https://registry.npmmirror.com/postcss/-/postcss-8.5.15.tgz",
admin-frontend/package.json
+5 -4
View File
@@ -9,16 +9,17 @@
"preview": "vite preview"
},
"dependencies": {
"vue": "^3.5.13",
"vue-router": "^4.5.0",
"element-plus": "^2.9.1",
"@element-plus/icons-vue": "^2.3.1",
"axios": "^1.7.9",
"dayjs": "^1.11.13",
"element-plus": "^2.9.1",
"pinia": "^2.3.0",
"dayjs": "^1.11.13"
"vue": "^3.5.13",
"vue-router": "^4.5.0"
},
"devDependencies": {
"@vitejs/plugin-vue": "^5.2.1",
"playwright": "^1.60.0",
"vite": "^6.0.7"
}
}
backend/app/ai/providers/alibaba.py
+1 -1
View File
@@ -1,6 +1,6 @@
from typing import Dict, Any, Optional
from aliyunsdkcore.client import AcsClient
from aliyunsdkcore.auth.credentials import StsTokenCredential
from aliyunsdkcore.auth.credentials import AccessKeyCredential
from aliyunsdkalimt.request.v20181012 import TranslateGeneralRequest, TranslateECommerceRequest
from app.services.translation_quota import TranslationQuotaService
from app.database import AsyncSessionLocal
backend/app/api/v1/admin.py
+4 -4
View File
@@ -41,11 +41,11 @@ async def list_users(
return await service.list_users(page, size, role)
from app.core.utils import validate_uuid
def _validate_uuid(user_id: str):
try:
uuid.UUID(user_id)
except ValueError:
raise HTTPException(status_code=400, detail="Invalid user ID format")
validate_uuid(user_id)
@router.patch("/users/{target_user_id}/tier")
backend/app/api/v1/admin_search.py
+4 -5
View File
@@ -181,9 +181,8 @@ async def test_provider(
return {"success": False, "error": str(e)}
from app.core.utils import validate_uuid
def _validate_uuid(uuid_str: str):
import uuid
try:
uuid.UUID(uuid_str)
except ValueError:
raise HTTPException(status_code=400, detail="Invalid UUID")
validate_uuid(uuid_str)
backend/app/api/v1/auth.py
+40 -3
View File
@@ -8,7 +8,7 @@ from app.database import get_db
from app.models.user import User
from app.core.security import hash_password, verify_password, create_access_token, create_refresh_token, decode_token
from app.core.csrf import require_csrf_token
from pydantic import BaseModel, EmailStr
from pydantic import BaseModel, EmailStr, field_validator
from datetime import datetime, timedelta
from app.services.admin import AdminService
from app.models.subscription import Subscription
@@ -40,6 +40,13 @@ class LoginRequest(BaseModel):
phone: str = ""
password: str
@field_validator('password')
@classmethod
def validate_password(cls, v: str) -> str:
if len(v) < 6:
raise ValueError('Password must be at least 6 characters')
return v
class RefreshRequest(BaseModel):
refresh_token: str
@@ -146,6 +153,37 @@ async def login(
@router.post("/login/guest")
async def guest_login(request: Request, db: AsyncSession = Depends(get_db)):
# Rate limiting: max 5 guest logins per IP per 15 minutes
from app.core.redis import get_redis
import time
client_ip = request.client.host if request.client else "unknown"
cache_key = f"guest_login:{client_ip}"
try:
redis_client = await get_redis()
now = int(time.time())
window = 900 # 15 minutes
limit = 5
# Get count of logins in current window
count = await redis_client.get(cache_key)
if count and int(count) >= limit:
raise HTTPException(
status_code=429,
detail="Too many guest login attempts. Please try again later or register an account."
)
# Increment counter
pipe = redis_client.pipeline()
pipe.incr(cache_key)
pipe.expire(cache_key, window)
await pipe.execute()
except Exception:
# If Redis is down, proceed without rate limiting
pass
guest_id = str(uuid.uuid4())
access_token = create_access_token(
{"sub": guest_id, "tier": "guest", "role": "guest", "is_guest": True},
@@ -153,8 +191,7 @@ async def guest_login(request: Request, db: AsyncSession = Depends(get_db)):
)
refresh_token = create_refresh_token({"sub": guest_id, "is_guest": True})
client_ip = request.client.host if request.client else None
await AdminService(db).log_usage(guest_id, "user.login_guest", {}, ip=client_ip)
await AdminService(db).log_usage(guest_id, "user.login_guest", {})
return LoginResponse(
access_token=access_token,
backend/app/api/v1/customer.py
+15 -4
View File
@@ -136,6 +136,8 @@ async def delete_customer(
return {"message": "Customer deleted"}
MAX_UPLOAD_SIZE = 10 * 1024 * 1024 # 10MB
@router.post("/import")
async def import_customers(
file: UploadFile = File(...),
@@ -144,8 +146,17 @@ async def import_customers(
):
from app.workers.tasks import process_customer_import
content = await file.read()
filename = file.filename or ""
filename = file.filename or "unknown"
file_size = 0
content = b""
while True:
chunk = await file.read(8192)
if not chunk:
break
file_size += len(chunk)
if file_size > MAX_UPLOAD_SIZE:
raise HTTPException(status_code=413, detail=f"File too large. Max {MAX_UPLOAD_SIZE // (1024*1024)}MB")
content += chunk
if filename.endswith(".xlsx"):
records, parse_errors = import_service.parse_xlsx(content)
@@ -155,7 +166,7 @@ async def import_customers(
raise HTTPException(status_code=400, detail="Unsupported file format. Use .xlsx or .csv")
if parse_errors and not records:
raise HTTPException(status_code=400, detail=f"Parse failed: {'; '.join(parse_errors)}")
raise HTTPException(status_code=400, detail="Parse failed. Check file format.")
valid, validation_errors = import_service.validate_records(records)
all_errors = parse_errors + validation_errors
@@ -167,7 +178,7 @@ async def import_customers(
await svc.create_customer(user_id, record)
imported_count += 1
except Exception as e:
all_errors.append(f"Import failed for {record.get('name', 'unknown')}: {str(e)}")
all_errors.append(f"Import failed for row: {str(e)}")
return {
"imported": imported_count,
backend/app/api/v1/discovery.py
+8 -4
View File
@@ -32,7 +32,8 @@ async def search_leads(req: SearchRequest, db: AsyncSession = Depends(get_db)):
result = await svc.search(req.product_description, req.target_market)
return {"success": True, "data": result}
except Exception as e:
raise HTTPException(status_code=500, detail=f"搜索失败: {str(e)}")
logger.error(f"Search failed: {e}")
raise HTTPException(status_code=500, detail="搜索失败,请稍后重试")
@router.post("/analyze")
@@ -46,7 +47,8 @@ async def analyze_company(req: AnalyzeRequest):
result = await svc.analyze(req.company_url, req.product_description)
return {"success": True, "data": result}
except Exception as e:
raise HTTPException(status_code=500, detail=f"分析失败: {str(e)}")
logger.error(f"Analysis failed: {e}")
raise HTTPException(status_code=500, detail="分析失败,请稍后重试")
@router.post("/outreach")
@@ -57,7 +59,9 @@ async def generate_outreach(req: OutreachRequest):
raise HTTPException(status_code=400, detail="请填写产品名称")
svc = DiscoveryService()
try:
result = await svc.outreach(req.company, req.product)
result = await svc.generate_outreach(req.company, req.product)
return {"success": True, "data": result}
except Exception as e:
raise HTTPException(status_code=500, detail=f"生成失败: {str(e)}")
logger.error(f"Outreach generation failed: {e}")
raise HTTPException(status_code=500, detail="生成失败,请稍后重试")
backend/app/api/v1/marketing.py
+8 -8
View File
@@ -67,10 +67,10 @@ async def generate_marketing(
@router.post("/keywords")
async def generate_keywords(data: KeywordsRequest, authorization: str = Header(None)):
if not authorization:
raise HTTPException(status_code=401, detail="Missing token")
async def generate_keywords(
data: KeywordsRequest,
user_id: str = Depends(get_current_user_id),
):
service = MarketingService()
product_info = {
"name": data.product_name,
@@ -83,10 +83,10 @@ async def generate_keywords(data: KeywordsRequest, authorization: str = Header(N
@router.post("/competitor-analysis")
async def competitor_analysis(data: CompetitorRequest, authorization: str = Header(None)):
if not authorization:
raise HTTPException(status_code=401, detail="Missing token")
async def competitor_analysis(
data: CompetitorRequest,
user_id: str = Depends(get_current_user_id),
):
service = MarketingService()
product_info = {
"name": data.product_name,
backend/app/api/v1/product.py
+17 -2
View File
@@ -100,9 +100,24 @@ async def import_products(
user_id: str = Depends(get_current_user_id),
db: AsyncSession = Depends(get_db),
):
from app.services.product import ProductService
MAX_UPLOAD_SIZE = 10 * 1024 * 1024 # 10MB
filename = file.filename or "unknown"
file_size = 0
content = b""
while True:
chunk = await file.read(8192)
if not chunk:
break
file_size += len(chunk)
if file_size > MAX_UPLOAD_SIZE:
raise HTTPException(status_code=413, detail=f"File too large. Max {MAX_UPLOAD_SIZE // (1024*1024)}MB")
content += chunk
service = ProductService(db)
content = await file.read()
filename = file.filename.lower()
filename_lower = filename.lower()
if filename.endswith(".xlsx"):
if not HAS_OPENPYXL:
backend/app/api/v1/whatsapp.py
+2
View File
@@ -38,6 +38,8 @@ async def handle_webhook(
if x_hub_signature_256:
if not svc.verify_signature(body, x_hub_signature_256):
raise HTTPException(status_code=403, detail="Invalid signature")
else:
raise HTTPException(status_code=403, detail="Missing signature")
import json
body_json = json.loads(body)
backend/app/core/utils.py
+27
View File
@@ -0,0 +1,27 @@
"""Shared utility functions"""
import uuid
from typing import Any
def validate_uuid(value: str) -> str:
"""Validate UUID format and return the value"""
try:
uuid.UUID(value)
return value
except ValueError:
raise ValueError(f"Invalid UUID format: {value}")
def truncate_string(value: str, max_length: int = 100) -> str:
"""Truncate string to specified length"""
if len(value) <= max_length:
return value
return value[:max_length]
def sanitize_for_logging(value: str) -> str:
"""Sanitize string for logging (remove sensitive info)"""
# Remove common sensitive patterns
import re
value = re.sub(r'[^a-zA-Z0-9\s\-_.,:;!?\'"]', '', value)
return value[:200] # Limit length for log safety
backend/app/services/import_service.py
+10 -1
View File
@@ -22,18 +22,27 @@ OPTIONAL_COLUMNS = {
class ImportService:
MAX_ROWS = 10000
@staticmethod
def parse_xlsx(file_bytes: bytes) -> Tuple[List[Dict[str, Any]], List[str]]:
if not HAS_OPENPYXL:
return [], ["openpyxl not installed"]
try:
wb = openpyxl.load_workbook(io.BytesIO(file_bytes), read_only=True)
# Validate magic bytes for XLSX
if len(file_bytes) < 4 or file_bytes[:4] != b'PK\x03\x04':
return [], ["Invalid XLSX file format"]
wb = openpyxl.load_workbook(io.BytesIO(file_bytes), read_only=True, data_only=True)
ws = wb.active
rows = list(ws.iter_rows(values_only=True))
if not rows:
return [], ["Empty file"]
if len(rows) > ImportService.MAX_ROWS + 1:
return [], [f"File too large. Max {ImportService.MAX_ROWS} data rows"]
headers = [str(h).strip().lower() if h else "" for h in rows[0]]
missing = REQUIRED_COLUMNS - set(headers)
if missing:
backend/app/services/search_web.py
+25
View File
@@ -56,6 +56,31 @@ async def _google_cse(query: str, max_results: int, api_key: str, cse_id: str) -
async def fetch_page_text(url: str) -> Optional[str]:
# Validate URL to prevent SSRF
from urllib.parse import urlparse
import ipaddress
try:
parsed = urlparse(url)
if parsed.scheme not in ('http', 'https'):
logger.warning(f"Invalid URL scheme: {url}")
return None
# Check if hostname is an IP address and block private/reserved ranges
hostname = parsed.hostname
if hostname:
try:
ip = ipaddress.ip_address(hostname)
if ip.is_private or ip.is_loopback or ip.is_reserved or ip.is_link_local:
logger.warning(f"Blocked private/reserved IP: {url}")
return None
except ValueError:
# Not an IP address, it's a hostname - proceed normally
pass
except Exception as e:
logger.warning(f"URL validation failed for {url}: {e}")
return None
try:
async with httpx.AsyncClient(timeout=10.0, follow_redirects=True) as client:
resp = await client.get(url, headers={"User-Agent": "Mozilla/5.0"})
backend/app/services/translation.py
-3
View File
@@ -50,9 +50,6 @@ class TranslationService:
preference_context: Optional[str] = None,
) -> List[Dict[str, Any]]:
similar = await self.corpus.find_similar(inquiry, "reply")
if similar and count > 1:
pass
results = []
tones = self._get_tones(tone, count)
user-frontend/package-lock.json
Generated
+50 -2
View File
@@ -1,11 +1,11 @@
{
"name": "trademate-admin",
"name": "trademate-user",
"version": "1.0.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "trademate-admin",
"name": "trademate-user",
"version": "1.0.0",
"dependencies": {
"@element-plus/icons-vue": "^2.3.1",
@@ -18,6 +18,7 @@
},
"devDependencies": {
"@vitejs/plugin-vue": "^5.2.1",
"playwright": "^1.60.0",
"vite": "^6.0.7"
}
},
@@ -1706,6 +1707,53 @@
}
}
},
"node_modules/playwright": {
"version": "1.60.0",
"resolved": "https://registry.npmmirror.com/playwright/-/playwright-1.60.0.tgz",
"integrity": "sha512-hheHdokM8cdqCb0lcE3s+zT4t4W+vvjpGxsZlDnikarzx8tSzMebh3UiFtgqwFwnTnjYQcsyMF8ei2mCO/tpeA==",
"dev": true,
"license": "Apache-2.0",
"dependencies": {
"playwright-core": "1.60.0"
},
"bin": {
"playwright": "cli.js"
},
"engines": {
"node": ">=18"
},
"optionalDependencies": {
"fsevents": "2.3.2"
}
},
"node_modules/playwright-core": {
"version": "1.60.0",
"resolved": "https://registry.npmmirror.com/playwright-core/-/playwright-core-1.60.0.tgz",
"integrity": "sha512-9bW6zvX/m0lEbgTKJ6YppOKx8H3VOPBMOCFh2irXFOT4BbHgrx5hPjwJYLT40Lu+4qtD36qKc/Hn56StUW57IA==",
"dev": true,
"license": "Apache-2.0",
"bin": {
"playwright-core": "cli.js"
},
"engines": {
"node": ">=18"
}
},
"node_modules/playwright/node_modules/fsevents": {
"version": "2.3.2",
"resolved": "https://registry.npmmirror.com/fsevents/-/fsevents-2.3.2.tgz",
"integrity": "sha512-xiqMQR4xAeHTuB9uWm+fFRcIOgKBMiOBP+eXiyT7jsgVCq1bkVygt00oASowB7EdtpOHaaPgKt812P9ab+DDKA==",
"dev": true,
"hasInstallScript": true,
"license": "MIT",
"optional": true,
"os": [
"darwin"
],
"engines": {
"node": "^8.16.0 || ^10.6.0 || >=11.0.0"
}
},
"node_modules/postcss": {
"version": "8.5.15",
"resolved": "https://registry.npmmirror.com/postcss/-/postcss-8.5.15.tgz",
user-frontend/package.json
+5 -4
View File
@@ -9,16 +9,17 @@
"preview": "vite preview"
},
"dependencies": {
"vue": "^3.5.13",
"vue-router": "^4.5.0",
"element-plus": "^2.9.1",
"@element-plus/icons-vue": "^2.3.1",
"axios": "^1.7.9",
"dayjs": "^1.11.13",
"element-plus": "^2.9.1",
"pinia": "^2.3.0",
"dayjs": "^1.11.13"
"vue": "^3.5.13",
"vue-router": "^4.5.0"
},
"devDependencies": {
"@vitejs/plugin-vue": "^5.2.1",
"playwright": "^1.60.0",
"vite": "^6.0.7"
}
}
user-frontend/src/views/Workspace.vue
+3 -3
View File
@@ -129,13 +129,13 @@
<el-table :data="planData" border>
<el-table-column label="功能" prop="feature" width="140" />
<el-table-column label="免费版" width="160">
<template #default="{ row }"><span v-html="row.free" /></template>
<template #default="{ row }"><span>{{ row.free }}</span></template>
</el-table-column>
<el-table-column label="Pro ¥99/月" width="160">
<template #default="{ row }"><span v-html="row.pro" /></template>
<template #default="{ row }"><span>{{ row.pro }}</span></template>
</el-table-column>
<el-table-column label="企业 ¥399/月" width="160">
<template #default="{ row }"><span v-html="row.enterprise" /></template>
<template #default="{ row }"><span>{{ row.enterprise }}</span></template>
</el-table-column>
</el-table>
<div style="text-align:center;margin-top:20px">