Harden auth, CSRF, and email log UX

2025-12-26 19:05:20 +08:00
parent 3214cbbd91
commit f90b0a4f11
47 changed files with 583 additions and 198 deletions
--- a/services/proxy.py
+++ b/services/proxy.py
@@ -9,6 +9,7 @@ from typing import Optional
 import requests

 from app_logger import get_logger
+from app_security import is_safe_outbound_url

 logger = get_logger("proxy")

@@ -34,6 +35,10 @@ def get_proxy_from_api(api_url: str, max_retries: int = 3) -> Optional[str]:
    ip_port_pattern = re.compile(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}:\d{1,5}$")
    max_retries = max(1, int(max_retries or 1))

+    if not is_safe_outbound_url(api_url):
+        logger.warning("代理API地址不可用或不安全，已拒绝请求")
+        return None
+
    for attempt in range(max_retries):
        try:
            response = requests.get(api_url, timeout=10)
@@ -74,4 +79,3 @@ def get_proxy_from_api(api_url: str, max_retries: int = 3) -> Optional[str]:

    logger.warning(f"获取代理失败，已重试 {max_retries} 次，将不使用代理继续")
    return None
-