alai-dev/trade-assistant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: security and code quality improvements

Browse Source 
Security fixes:
- Add file upload size limits (10MB) for customer and product imports
- Add XLSX file validation with row limits and magic byte checking
- Implement password validation (min 6 chars) in registration
- Add rate limiting for guest login (5 per IP per 15 minutes)
- Sanitize error messages to prevent information leakage
- Fix XSS vulnerability by removing unsafe v-html usage
- Enforce WhatsApp webhook signature verification
- Add SSRF protection with URL validation and IP blocking
- Fix marketing endpoints to use proper authentication

Code quality improvements:
- Create shared utility functions for UUID validation and string sanitization
- Remove duplicate UUID validation code from admin modules
- Remove dead code (pass statement in translation.py)
- Fix aliyun SDK import compatibility
This commit is contained in:
TradeMate Dev
2026-06-11 17:54:07 +08:00
parent d2736d1ef6
commit 13e3992d4c
18 changed files with 272 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/api/v1/discovery.py
+8 -4
View File
@@ -32,7 +32,8 @@ async def search_leads(req: SearchRequest, db: AsyncSession = Depends(get_db)):
result = await svc.search(req.product_description, req.target_market)
return {"success": True, "data": result}
except Exception as e:
raise HTTPException(status_code=500, detail=f"搜索失败: {str(e)}")
logger.error(f"Search failed: {e}")
raise HTTPException(status_code=500, detail="搜索失败,请稍后重试")
@router.post("/analyze")
@@ -46,7 +47,8 @@ async def analyze_company(req: AnalyzeRequest):
result = await svc.analyze(req.company_url, req.product_description)
return {"success": True, "data": result}
except Exception as e:
raise HTTPException(status_code=500, detail=f"分析失败: {str(e)}")
logger.error(f"Analysis failed: {e}")
raise HTTPException(status_code=500, detail="分析失败,请稍后重试")
@router.post("/outreach")
@@ -57,7 +59,9 @@ async def generate_outreach(req: OutreachRequest):
raise HTTPException(status_code=400, detail="请填写产品名称")
svc = DiscoveryService()
try:
result = await svc.outreach(req.company, req.product)
result = await svc.generate_outreach(req.company, req.product)
return {"success": True, "data": result}
except Exception as e:
raise HTTPException(status_code=500, detail=f"生成失败: {str(e)}")
logger.error(f"Outreach generation failed: {e}")
raise HTTPException(status_code=500, detail="生成失败,请稍后重试")