alai-dev/trade-assistant
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: security and code quality improvements

Browse Source 
Security fixes:
- Add file upload size limits (10MB) for customer and product imports
- Add XLSX file validation with row limits and magic byte checking
- Implement password validation (min 6 chars) in registration
- Add rate limiting for guest login (5 per IP per 15 minutes)
- Sanitize error messages to prevent information leakage
- Fix XSS vulnerability by removing unsafe v-html usage
- Enforce WhatsApp webhook signature verification
- Add SSRF protection with URL validation and IP blocking
- Fix marketing endpoints to use proper authentication

Code quality improvements:
- Create shared utility functions for UUID validation and string sanitization
- Remove duplicate UUID validation code from admin modules
- Remove dead code (pass statement in translation.py)
- Fix aliyun SDK import compatibility
This commit is contained in:
TradeMate Dev
2026-06-11 17:54:07 +08:00
parent d2736d1ef6
commit 13e3992d4c
18 changed files with 272 additions and 48 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/api/v1/whatsapp.py
+2
View File
@@ -38,6 +38,8 @@ async def handle_webhook(
if x_hub_signature_256:
if not svc.verify_signature(body, x_hub_signature_256):
raise HTTPException(status_code=403, detail="Invalid signature")
else:
raise HTTPException(status_code=403, detail="Missing signature")
import json
body_json = json.loads(body)