fix: security and code quality improvements

Security fixes: - Add file upload size limits (10MB) for customer and product imports - Add XLSX file validation with row limits and magic byte checking - Implement password validation (min 6 chars) in registration - Add rate limiting for guest login (5 per IP per 15 minutes) - Sanitize error messages to prevent information leakage - Fix XSS vulnerability by removing unsafe v-html usage - Enforce WhatsApp webhook signature verification - Add SSRF protection with URL validation and IP blocking - Fix marketing endpoints to use proper authentication Code quality improvements: - Create shared utility functions for UUID validation and string sanitization - Remove duplicate UUID validation code from admin modules - Remove dead code (pass statement in translation.py) - Fix aliyun SDK import compatibility
2026-06-11 17:54:07 +08:00
parent d2736d1ef6
commit 13e3992d4c
18 changed files with 272 additions and 48 deletions
@@ -41,11 +41,11 @@ async def list_users(
    return await service.list_users(page, size, role)


+from app.core.utils import validate_uuid
+
+
 def _validate_uuid(user_id: str):
-    try:
-        uuid.UUID(user_id)
-    except ValueError:
-        raise HTTPException(status_code=400, detail="Invalid user ID format")
+    validate_uuid(user_id)


@router.patch("/users/{target_user_id}/tier")
@@ -181,9 +181,8 @@ async def test_provider(
        return {"success": False, "error": str(e)}


+from app.core.utils import validate_uuid
+
+
 def _validate_uuid(uuid_str: str):
-    import uuid
-    try:
-        uuid.UUID(uuid_str)
-    except ValueError:
-        raise HTTPException(status_code=400, detail="Invalid UUID")
+    validate_uuid(uuid_str)
@@ -8,7 +8,7 @@ from app.database import get_db
 from app.models.user import User
 from app.core.security import hash_password, verify_password, create_access_token, create_refresh_token, decode_token
 from app.core.csrf import require_csrf_token
-from pydantic import BaseModel, EmailStr
+from pydantic import BaseModel, EmailStr, field_validator
 from datetime import datetime, timedelta
 from app.services.admin import AdminService
 from app.models.subscription import Subscription
@@ -40,6 +40,13 @@ class LoginRequest(BaseModel):
    phone: str = ""
    password: str

+    @field_validator('password')
+    @classmethod
+    def validate_password(cls, v: str) -> str:
+        if len(v) < 6:
+            raise ValueError('Password must be at least 6 characters')
+        return v
+

 class RefreshRequest(BaseModel):
    refresh_token: str
@@ -146,6 +153,37 @@ async def login(

@router.post("/login/guest")
 async def guest_login(request: Request, db: AsyncSession = Depends(get_db)):
+    # Rate limiting: max 5 guest logins per IP per 15 minutes
+    from app.core.redis import get_redis
+    import time
+    
+    client_ip = request.client.host if request.client else "unknown"
+    cache_key = f"guest_login:{client_ip}"
+    
+    try:
+        redis_client = await get_redis()
+        now = int(time.time())
+        window = 900  # 15 minutes
+        limit = 5
+        
+        # Get count of logins in current window
+        count = await redis_client.get(cache_key)
+        if count and int(count) >= limit:
+            raise HTTPException(
+                status_code=429,
+                detail="Too many guest login attempts. Please try again later or register an account."
+            )
+        
+        # Increment counter
+        pipe = redis_client.pipeline()
+        pipe.incr(cache_key)
+        pipe.expire(cache_key, window)
+        await pipe.execute()
+        
+    except Exception:
+        # If Redis is down, proceed without rate limiting
+        pass
+    
    guest_id = str(uuid.uuid4())
    access_token = create_access_token(
        {"sub": guest_id, "tier": "guest", "role": "guest", "is_guest": True},
@@ -153,8 +191,7 @@ async def guest_login(request: Request, db: AsyncSession = Depends(get_db)):
    )
    refresh_token = create_refresh_token({"sub": guest_id, "is_guest": True})
    
-    client_ip = request.client.host if request.client else None
-    await AdminService(db).log_usage(guest_id, "user.login_guest", {}, ip=client_ip)
+    await AdminService(db).log_usage(guest_id, "user.login_guest", {})

    return LoginResponse(
        access_token=access_token,
@@ -136,6 +136,8 @@ async def delete_customer(
    return {"message": "Customer deleted"}


+MAX_UPLOAD_SIZE = 10 * 1024 * 1024  # 10MB
+
@router.post("/import")
 async def import_customers(
    file: UploadFile = File(...),
@@ -144,8 +146,17 @@ async def import_customers(
 ):
    from app.workers.tasks import process_customer_import

-    content = await file.read()
-    filename = file.filename or ""
+    filename = file.filename or "unknown"
+    file_size = 0
+    content = b""
+    while True:
+        chunk = await file.read(8192)
+        if not chunk:
+            break
+        file_size += len(chunk)
+        if file_size > MAX_UPLOAD_SIZE:
+            raise HTTPException(status_code=413, detail=f"File too large. Max {MAX_UPLOAD_SIZE // (1024*1024)}MB")
+        content += chunk

    if filename.endswith(".xlsx"):
        records, parse_errors = import_service.parse_xlsx(content)
@@ -155,7 +166,7 @@ async def import_customers(
        raise HTTPException(status_code=400, detail="Unsupported file format. Use .xlsx or .csv")

    if parse_errors and not records:
-        raise HTTPException(status_code=400, detail=f"Parse failed: {'; '.join(parse_errors)}")
+        raise HTTPException(status_code=400, detail="Parse failed. Check file format.")

    valid, validation_errors = import_service.validate_records(records)
    all_errors = parse_errors + validation_errors
@@ -167,7 +178,7 @@ async def import_customers(
            await svc.create_customer(user_id, record)
            imported_count += 1
        except Exception as e:
-            all_errors.append(f"Import failed for {record.get('name', 'unknown')}: {str(e)}")
+            all_errors.append(f"Import failed for row: {str(e)}")

    return {
        "imported": imported_count,
@@ -32,7 +32,8 @@ async def search_leads(req: SearchRequest, db: AsyncSession = Depends(get_db)):
        result = await svc.search(req.product_description, req.target_market)
        return {"success": True, "data": result}
    except Exception as e:
-        raise HTTPException(status_code=500, detail=f"搜索失败: {str(e)}")
+        logger.error(f"Search failed: {e}")
+        raise HTTPException(status_code=500, detail="搜索失败，请稍后重试")


@router.post("/analyze")
@@ -46,7 +47,8 @@ async def analyze_company(req: AnalyzeRequest):
        result = await svc.analyze(req.company_url, req.product_description)
        return {"success": True, "data": result}
    except Exception as e:
-        raise HTTPException(status_code=500, detail=f"分析失败: {str(e)}")
+        logger.error(f"Analysis failed: {e}")
+        raise HTTPException(status_code=500, detail="分析失败，请稍后重试")


@router.post("/outreach")
@@ -57,7 +59,9 @@ async def generate_outreach(req: OutreachRequest):
        raise HTTPException(status_code=400, detail="请填写产品名称")
    svc = DiscoveryService()
    try:
-        result = await svc.outreach(req.company, req.product)
+        result = await svc.generate_outreach(req.company, req.product)
        return {"success": True, "data": result}
    except Exception as e:
-        raise HTTPException(status_code=500, detail=f"生成失败: {str(e)}")
+        logger.error(f"Outreach generation failed: {e}")
+        raise HTTPException(status_code=500, detail="生成失败，请稍后重试")
+
@@ -67,10 +67,10 @@ async def generate_marketing(


@router.post("/keywords")
-async def generate_keywords(data: KeywordsRequest, authorization: str = Header(None)):
-    if not authorization:
-        raise HTTPException(status_code=401, detail="Missing token")
-
+async def generate_keywords(
+    data: KeywordsRequest,
+    user_id: str = Depends(get_current_user_id),
+):
    service = MarketingService()
    product_info = {
        "name": data.product_name,
@@ -83,10 +83,10 @@ async def generate_keywords(data: KeywordsRequest, authorization: str = Header(N


@router.post("/competitor-analysis")
-async def competitor_analysis(data: CompetitorRequest, authorization: str = Header(None)):
-    if not authorization:
-        raise HTTPException(status_code=401, detail="Missing token")
-
+async def competitor_analysis(
+    data: CompetitorRequest,
+    user_id: str = Depends(get_current_user_id),
+):
    service = MarketingService()
    product_info = {
        "name": data.product_name,
@@ -100,9 +100,24 @@ async def import_products(
    user_id: str = Depends(get_current_user_id),
    db: AsyncSession = Depends(get_db),
 ):
+    from app.services.product import ProductService
+
+    MAX_UPLOAD_SIZE = 10 * 1024 * 1024  # 10MB
+
+    filename = file.filename or "unknown"
+    file_size = 0
+    content = b""
+    while True:
+        chunk = await file.read(8192)
+        if not chunk:
+            break
+        file_size += len(chunk)
+        if file_size > MAX_UPLOAD_SIZE:
+            raise HTTPException(status_code=413, detail=f"File too large. Max {MAX_UPLOAD_SIZE // (1024*1024)}MB")
+        content += chunk
+
    service = ProductService(db)
-    content = await file.read()
-    filename = file.filename.lower()
+    filename_lower = filename.lower()

    if filename.endswith(".xlsx"):
        if not HAS_OPENPYXL:
@@ -38,6 +38,8 @@ async def handle_webhook(
    if x_hub_signature_256:
        if not svc.verify_signature(body, x_hub_signature_256):
            raise HTTPException(status_code=403, detail="Invalid signature")
+    else:
+        raise HTTPException(status_code=403, detail="Missing signature")

    import json
    body_json = json.loads(body)