update: 修复基于长亭monkeycode扫描结果的12处安全漏洞

2026-04-24 10:11:23 +08:00
parent 63bfabc6de
commit 4af9a31eba
17 changed files with 366 additions and 75 deletions
@@ -26,6 +26,7 @@ from app.logger import get_logger
 from app.config import settings as app_settings, PROJECT_ROOT
 from app.services.ai_service import AIService, create_user_ai_service, create_user_ai_service_with_mcp, normalize_provider
 from app.services.email_service import email_service
+from app.security import validate_public_http_url

 logger = get_logger(__name__)

@@ -452,7 +453,8 @@ async def delete_settings(
 async def get_available_models(
    api_key: str,
    api_base_url: str,
-    provider: str = "openai"
+    provider: str = "openai",
+    user: User = Depends(require_login)
 ):
    """
    从配置的 API 获取可用的模型列表
@@ -467,6 +469,7 @@ async def get_available_models(
    """
    try:
        provider = normalize_provider(provider)
+        api_base_url = validate_public_http_url(api_base_url)
        async with httpx.AsyncClient(timeout=10.0) as client:
            if provider == "openai" or provider == "azure" or provider == "custom":
                # OpenAI 兼容接口获取模型列表
@@ -1291,4 +1294,4 @@ async def create_preset_from_current(
    )
    
    logger.info(f"用户 {user.user_id} 从当前配置创建预设: {name}")
-    return await create_preset(create_request, user, db)
+    return await create_preset(create_request, user, db)