fix: harden cloud storage security

2026-06-13 18:45:12 +08:00
parent 7943b04ee2
commit bb6ad01018
28 changed files with 2229 additions and 996 deletions
--- a/backend/tests/boundary-tests.js
+++ b/backend/tests/boundary-tests.js
@@ -473,7 +473,7 @@ function testLocalStoragePath() {
    return fullPath;
  }

-  const basePath = '/tmp/storage/user_1';
+  const basePath = path.join(path.resolve('/tmp'), 'storage', 'user_1');

  test('正常相对路径应该被接受', () => {
    const result = getFullPath(basePath, 'documents/file.txt');
@@ -703,7 +703,7 @@ function testDatabaseFieldWhitelist() {
  const ALLOWED_FIELDS = [
    'username', 'email', 'password',
    'oss_provider', 'oss_region', 'oss_access_key_id', 'oss_access_key_secret', 'oss_bucket', 'oss_endpoint',
-    'upload_api_key', 'is_admin', 'is_active', 'is_banned', 'has_oss_config',
+    'upload_api_key', 'is_active', 'is_banned', 'has_oss_config',
    'is_verified', 'verification_token', 'verification_expires_at',
    'storage_permission', 'current_storage_type', 'local_storage_quota', 'local_storage_used',
    'theme_preference'
@@ -730,14 +730,14 @@ function testDatabaseFieldWhitelist() {
    const updates = {
      username: 'newname',
      id: 999,  // 尝试修改 ID
-      is_admin: 1,  // 合法字段
+      is_admin: 1,  // 权限字段不允许通过通用更新入口修改
      sql_injection: "'; DROP TABLE users; --"  // 非法字段
    };
    const filtered = filterUpdates(updates);
    assert.ok(!('id' in filtered));
+    assert.ok(!('is_admin' in filtered));
    assert.ok(!('sql_injection' in filtered));
    assert.strictEqual(filtered.username, 'newname');
-    assert.strictEqual(filtered.is_admin, 1);
  });

  test('原型污染尝试应该被阻止', () => {