安全修复: 收敛认证与日志风险并补充基础测试

2026-02-16 00:34:52 +08:00
parent 7627885b1b
commit 7d42f96e42
12 changed files with 163 additions and 50 deletions
--- a/db/users.py
+++ b/db/users.py
@@ -21,6 +21,10 @@ logger = get_logger(__name__)

 _CST_TZ = pytz.timezone("Asia/Shanghai")
 _PERMANENT_VIP_EXPIRE = "2099-12-31 23:59:59"
+_USER_LOOKUP_SQL = {
+    "id": "SELECT * FROM users WHERE id = ?",
+    "username": "SELECT * FROM users WHERE username = ?",
+}


 def _row_to_dict(row):
@@ -28,9 +32,12 @@ def _row_to_dict(row):


 def _get_user_by_field(field_name: str, field_value):
+    query_sql = _USER_LOOKUP_SQL.get(str(field_name or ""))
+    if not query_sql:
+        raise ValueError(f"unsupported user lookup field: {field_name}")
    with db_pool.get_db() as conn:
        cursor = conn.cursor()
-        cursor.execute(f"SELECT * FROM users WHERE {field_name} = ?", (field_value,))
+        cursor.execute(query_sql, (field_value,))
        return _row_to_dict(cursor.fetchone())