Merge pull request #6 from VanceHud/main

VanceHud · web-flow · commit b9e1c23bc278 · 2026-01-07T11:54:52.000+08:00
修复了几个BUG
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -7,6 +7,9 @@ on:
     branches: [ "main" ]
   workflow_dispatch:
 
+permissions:
+  contents: read
+
 jobs:
   build:
     runs-on: ubuntu-latest
diff --git a/server/app.js b/server/app.js
@@ -112,14 +112,15 @@ app.get('/api/status', (req, res) => {
     });
 });
 
-// Setup Routes (Always available, but logic inside checks if already configured)
-app.use('/api/setup', setupRoutes);
-
 // Rate Limiter & User Identification
 // Apply soft authentication (identifyUser) and rate limiting (rateLimiter)
 // identifyUser must come before rateLimiter so we can check roles
 app.use('/api', identifyUser, rateLimiter);
 
+// Setup Routes (Always available, but logic inside checks if already configured)
+// Now protected by rate limiting to prevent DoS attacks
+app.use('/api/setup', setupRoutes);
+
 // App Routes (Only work if configured)
 const requireConfig = (req, res, next) => {
     if (!isConfigured()) {
diff --git a/server/routes/admin-notifications.js b/server/routes/admin-notifications.js
@@ -64,8 +64,8 @@ router.post('/', authenticateToken, requireAdminRole, async (req, res) => {
         return res.status(400).json({ error: '邮箱地址不能为空' });
     }
 
-    // Email validation
-    const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+    // Email validation - using a safer regex pattern to prevent ReDoS
+    const emailRegex = /^[a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;
     if (!emailRegex.test(email)) {
         return res.status(400).json({ error: '邮箱地址格式不正确' });
     }
diff --git a/server/routes/email-templates.js b/server/routes/email-templates.js
@@ -62,7 +62,7 @@ router.put('/:key', authenticateToken, requireSuperAdmin, async (req, res) => {
 
         res.json({ success: true });
     } catch (err) {
-        console.error(`Error updating email template ${key}:`, err);
+        console.error('Error updating email template:', { key, error: err });
         res.status(500).json({ error: 'Failed to update template' });
     }
 });
diff --git a/server/routes/knowledge-base.js b/server/routes/knowledge-base.js
@@ -11,8 +11,8 @@ const router = express.Router();
 const generateSlug = (title) => {
     return title
         .toLowerCase()
-        .replace(/[^\w\u4e00-\u9fa5]+/g, '-') // Keep Chinese characters
-        .replace(/^-+|-+$/g, '')
+        .replace(/[^\w\u4e00-\u9fa5]+/g, '-') // Keep Chinese characters - replace sequences of non-word/non-Chinese chars with single dash
+        .replace(/^-|-$/g, '') // Remove leading/trailing dashes
         .substring(0, 100);
 };
 

Original file line number	Diff line number	Diff line change
`@@ -64,8 +64,8 @@ router.post('/', authenticateToken, requireAdminRole, async (req, res) => {`
`64`	`64`	`return res.status(400).json({ error: '邮箱地址不能为空' });`
`65`	`65`	`}`
`66`	`66`
`67`		`- // Email validation`
`68`		`- const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;`
	`67`	`+ // Email validation - using a safer regex pattern to prevent ReDoS`
	`68`	`+ const emailRegex = /^[a-zA-Z0-9._%-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/;`
`69`	`69`	`if (!emailRegex.test(email)) {`
`70`	`70`	`return res.status(400).json({ error: '邮箱地址格式不正确' });`
`71`	`71`	`}`
Original file line number	Diff line number	Diff line change
`@@ -62,7 +62,7 @@ router.put('/:key', authenticateToken, requireSuperAdmin, async (req, res) => {`
`62`	`62`
`63`	`63`	`res.json({ success: true });`
`64`	`64`	`} catch (err) {`
`65`		- console.error(`Error updating email template ${key}:`, err);
	`65`	`+ console.error('Error updating email template:', { key, error: err });`
`66`	`66`	`res.status(500).json({ error: 'Failed to update template' });`
`67`	`67`	`}`
`68`	`68`	`});`