fix: security and code quality improvements

Security fixes:
- Add file upload size limits (10MB) for customer and product imports
- Add XLSX file validation with row limits and magic byte checking
- Implement password validation (min 6 chars) in registration
- Add rate limiting for guest login (5 per IP per 15 minutes)
- Sanitize error messages to prevent information leakage
- Fix XSS vulnerability by removing unsafe v-html usage
- Enforce WhatsApp webhook signature verification
- Add SSRF protection with URL validation and IP blocking
- Fix marketing endpoints to use proper authentication

Code quality improvements:
- Create shared utility functions for UUID validation and string sanitization
- Remove duplicate UUID validation code from admin modules
- Remove dead code (pass statement in translation.py)
- Fix aliyun SDK import compatibility

backend/app/services/import_service.py

@@ -22,18 +22,27 @@ OPTIONAL_COLUMNS = {
 
 
 class ImportService:
+    MAX_ROWS = 10000
+
     @staticmethod
     def parse_xlsx(file_bytes: bytes) -> Tuple[List[Dict[str, Any]], List[str]]:
         if not HAS_OPENPYXL:
             return [], ["openpyxl not installed"]
 
         try:
-            wb = openpyxl.load_workbook(io.BytesIO(file_bytes), read_only=True)
+            # Validate magic bytes for XLSX
+            if len(file_bytes) < 4 or file_bytes[:4] != b'PK\x03\x04':
+                return [], ["Invalid XLSX file format"]
+
+            wb = openpyxl.load_workbook(io.BytesIO(file_bytes), read_only=True, data_only=True)
             ws = wb.active
             rows = list(ws.iter_rows(values_only=True))
             if not rows:
                 return [], ["Empty file"]
 
+            if len(rows) > ImportService.MAX_ROWS + 1:
+                return [], [f"File too large. Max {ImportService.MAX_ROWS} data rows"]
+
             headers = [str(h).strip().lower() if h else "" for h in rows[0]]
             missing = REQUIRED_COLUMNS - set(headers)
             if missing:

backend/app/services/search_web.py

@@ -56,6 +56,31 @@ async def _google_cse(query: str, max_results: int, api_key: str, cse_id: str) -
 
 
 async def fetch_page_text(url: str) -> Optional[str]:
+    # Validate URL to prevent SSRF
+    from urllib.parse import urlparse
+    import ipaddress
+    
+    try:
+        parsed = urlparse(url)
+        if parsed.scheme not in ('http', 'https'):
+            logger.warning(f"Invalid URL scheme: {url}")
+            return None
+        
+        # Check if hostname is an IP address and block private/reserved ranges
+        hostname = parsed.hostname
+        if hostname:
+            try:
+                ip = ipaddress.ip_address(hostname)
+                if ip.is_private or ip.is_loopback or ip.is_reserved or ip.is_link_local:
+                    logger.warning(f"Blocked private/reserved IP: {url}")
+                    return None
+            except ValueError:
+                # Not an IP address, it's a hostname - proceed normally
+                pass
+    except Exception as e:
+        logger.warning(f"URL validation failed for {url}: {e}")
+        return None
+    
     try:
         async with httpx.AsyncClient(timeout=10.0, follow_redirects=True) as client:
             resp = await client.get(url, headers={"User-Agent": "Mozilla/5.0"})

backend/app/services/translation.py

@@ -50,9 +50,6 @@ class TranslationService:
         preference_context: Optional[str] = None,
     ) -> List[Dict[str, Any]]:
         similar = await self.corpus.find_similar(inquiry, "reply")
-        if similar and count > 1:
-            pass
-
         results = []
         tones = self._get_tones(tone, count)