alai-dev/trade-assistant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: security and code quality improvements

Browse Source 
Security fixes:
- Add file upload size limits (10MB) for customer and product imports
- Add XLSX file validation with row limits and magic byte checking
- Implement password validation (min 6 chars) in registration
- Add rate limiting for guest login (5 per IP per 15 minutes)
- Sanitize error messages to prevent information leakage
- Fix XSS vulnerability by removing unsafe v-html usage
- Enforce WhatsApp webhook signature verification
- Add SSRF protection with URL validation and IP blocking
- Fix marketing endpoints to use proper authentication

Code quality improvements:
- Create shared utility functions for UUID validation and string sanitization
- Remove duplicate UUID validation code from admin modules
- Remove dead code (pass statement in translation.py)
- Fix aliyun SDK import compatibility
This commit is contained in:
TradeMate Dev
2026-06-11 17:54:07 +08:00
parent d2736d1ef6
commit 13e3992d4c
18 changed files with 272 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/api/v1/customer.py
+15 -4
View File
@@ -136,6 +136,8 @@ async def delete_customer(
return {"message": "Customer deleted"}
MAX_UPLOAD_SIZE = 10 * 1024 * 1024 # 10MB
@router.post("/import")
async def import_customers(
file: UploadFile = File(...),
@@ -144,8 +146,17 @@ async def import_customers(
):
from app.workers.tasks import process_customer_import
content = await file.read()
filename = file.filename or ""
filename = file.filename or "unknown"
file_size = 0
content = b""
while True:
chunk = await file.read(8192)
if not chunk:
break
file_size += len(chunk)
if file_size > MAX_UPLOAD_SIZE:
raise HTTPException(status_code=413, detail=f"File too large. Max {MAX_UPLOAD_SIZE // (1024*1024)}MB")
content += chunk
if filename.endswith(".xlsx"):
records, parse_errors = import_service.parse_xlsx(content)
@@ -155,7 +166,7 @@ async def import_customers(
raise HTTPException(status_code=400, detail="Unsupported file format. Use .xlsx or .csv")
if parse_errors and not records:
raise HTTPException(status_code=400, detail=f"Parse failed: {'; '.join(parse_errors)}")
raise HTTPException(status_code=400, detail="Parse failed. Check file format.")
valid, validation_errors = import_service.validate_records(records)
all_errors = parse_errors + validation_errors
@@ -167,7 +178,7 @@ async def import_customers(
await svc.create_customer(user_id, record)
imported_count += 1
except Exception as e:
all_errors.append(f"Import failed for {record.get('name', 'unknown')}: {str(e)}")
all_errors.append(f"Import failed for row: {str(e)}")
return {
"imported": imported_count,