fix(security): 修复CC防火墙逻辑并优化用户IP检测

csfwff · csfwff · commit 15f30d414f34 · 2025-12-26T16:51:55.000+08:00
- 移除了过时的注释代码块
- 添加了UserCache依赖用于IP用户检测
- 实现了基于用户状态的动态阈值控制
- 修复了计数器输出的日志信息显示
diff --git a/src/main/java/org/b3log/symphony/processor/BeforeRequestHandler.java b/src/main/java/org/b3log/symphony/processor/BeforeRequestHandler.java
@@ -96,23 +96,6 @@ public void handle(final RequestContext context) {
             return;
         }
 
-        /*try {
-            String method = context.getRequest().getMethod();
-            String uri = context.getRequest().getRequestURI();
-            String ip = Requests.getRemoteAddr(context.getRequest());
-            String union = ip + " " + method + " " + uri;
-            if (!whiteList.contains(ip)) {
-                if (!antiCCLimiter.access(union)) {
-                    context.sendStatus(503);
-                    return;
-                }
-            }
-        } catch (Exception e) {
-            e.printStackTrace();
-            context.sendStatus(503);
-            return;
-        }*/
-
         Locales.setLocale(Latkes.getLocale());
 
         Sessions.setTemplateDir(Symphonys.SKIN_DIR_NAME);
diff --git a/src/main/java/org/b3log/symphony/util/Firewall.java b/src/main/java/org/b3log/symphony/util/Firewall.java
@@ -23,6 +23,7 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 import org.b3log.latke.util.Execs;
+import org.b3log.symphony.cache.UserCache;
 
 import java.util.Map;
 import java.util.Set;
@@ -84,6 +85,7 @@ public static boolean recordAndMaybeBan(final String ip) {
         }
 
         final long nowBucket = System.currentTimeMillis() / WINDOW_MILLIS;
+        final int effectiveThreshold = UserCache.hasUserByIP(ip) ? threshold : Math.min(threshold, 250);
         final Counter counter = COUNTERS.compute(ip, (key, existing) -> {
             if (existing == null || existing.bucket != nowBucket) {
                 return new Counter(nowBucket, 1);
@@ -97,7 +99,7 @@ public static boolean recordAndMaybeBan(final String ip) {
             cleanupOldBuckets(nowBucket);
         }
 
-        if (counter.count.sum() > threshold && BANNED.add(ip)) {
+        if (counter.count.sum() > effectiveThreshold && BANNED.add(ip)) {
             // Run ban asynchronously on a virtual thread to keep request path light.
             Thread.startVirtualThread(() -> {
                 try {
@@ -110,7 +112,7 @@ public static boolean recordAndMaybeBan(final String ip) {
             return false;
         }
 
-        System.out.println("CC firewall allowed " + ip + " [" + counter.count + "]");
+        System.out.println("CC firewall allowed " + ip + " [" + counter.count.sum() + "]");
 
         return !BANNED.contains(ip);
     }
