增强安全性

iwind · iwind · commit 005e25c1b885 · 2024-03-18T11:45:13.000+08:00
diff --git a/internal/configloaders/security_config.go b/internal/configloaders/security_config.go
@@ -88,6 +88,8 @@ func loadSecurityConfig() (*systemconfigs.SecurityConfig, error) {
 		AllowLocal:             true,
 		CheckClientFingerprint: false,
 		CheckClientRegion:      true,
+		DenySearchEngines:      true,
+		DenySpiders:            true,
 	}
 	err = json.Unmarshal(resp.ValueJSON, config)
 	if err != nil {
@@ -109,5 +111,7 @@ func defaultSecurityConfig() *systemconfigs.SecurityConfig {
 		AllowLocal:             true,
 		CheckClientFingerprint: false,
 		CheckClientRegion:      true,
+		DenySearchEngines:      true,
+		DenySpiders:            true,
 	}
 }
diff --git a/internal/web/helpers/user_must_auth.go b/internal/web/helpers/user_must_auth.go
@@ -109,6 +109,12 @@ func NewUserMustAuth(module string) *userMustAuth {
 func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramName string) (goNext bool) {
 	var action = actionPtr.Object()
 
+	// 检查请求是否合法
+	if isEvilRequest(action.Request) {
+		action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
+
 	// 恢复模式
 	if teaconst.IsRecoverMode {
 		action.RedirectURL("/recover")
diff --git a/internal/web/helpers/user_should_auth.go b/internal/web/helpers/user_should_auth.go
@@ -21,6 +21,12 @@ func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramN
 
 	this.action = actionPtr.Object()
 
+	// 检查请求是否合法
+	if isEvilRequest(this.action.Request) {
+		this.action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
+
 	// 安全相关
 	var action = this.action
 	securityConfig, _ := configloaders.LoadSecurityConfig()
diff --git a/internal/web/helpers/utils.go b/internal/web/helpers/utils.go
@@ -1,6 +1,8 @@
 package helpers
 
 import (
+	"bytes"
+	"encoding/json"
 	"github.com/TeaOSLab/EdgeAdmin/internal/events"
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/configutils"
@@ -155,3 +157,9 @@ func checkRequestSecurity(securityConfig *systemconfigs.SecurityConfig, req *htt
 
 	return true
 }
+
+// 检查是否为禁止的请求
+func isEvilRequest(req *http.Request) bool {
+	var headersJSON, _ = json.Marshal(req.Header)
+	return bytes.Contains(headersJSON, []byte("fofa."))
+}

Original file line number	Diff line number	Diff line change
`@@ -88,6 +88,8 @@ func loadSecurityConfig() (*systemconfigs.SecurityConfig, error) {`
`88`	`88`	`AllowLocal: true,`
`89`	`89`	`CheckClientFingerprint: false,`
`90`	`90`	`CheckClientRegion: true,`
	`91`	`+ DenySearchEngines: true,`
	`92`	`+ DenySpiders: true,`
`91`	`93`	`}`
`92`	`94`	`err = json.Unmarshal(resp.ValueJSON, config)`
`93`	`95`	`if err != nil {`
`@@ -109,5 +111,7 @@ func defaultSecurityConfig() *systemconfigs.SecurityConfig {`
`109`	`111`	`AllowLocal: true,`
`110`	`112`	`CheckClientFingerprint: false,`
`111`	`113`	`CheckClientRegion: true,`
	`114`	`+ DenySearchEngines: true,`
	`115`	`+ DenySpiders: true,`
`112`	`116`	`}`
`113`	`117`	`}`