update: 修复基于长亭monkeycode扫描结果的12处安全漏洞

2026-04-24 10:11:23 +08:00
parent 63bfabc6de
commit 4af9a31eba
17 changed files with 366 additions and 75 deletions
@@ -26,6 +26,18 @@ router = APIRouter(prefix="/wizard-stream", tags=["项目创建向导(流式)"])
 logger = get_logger(__name__)


+async def get_owned_project(db: AsyncSession, project_id: str, user_id: str) -> Project | None:
+    if not project_id or not user_id:
+        return None
+    result = await db.execute(
+        select(Project).where(
+            Project.id == project_id,
+            Project.user_id == user_id,
+        )
+    )
+    return result.scalar_one_or_none()
+
+
 async def world_building_generator(
    data: Dict[str, Any],
    db: AsyncSession,
@@ -326,12 +338,9 @@ async def career_system_generator(
        
        # 获取项目信息
        yield await tracker.loading("加载项目信息...")
-        result = await db.execute(
-            select(Project).where(Project.id == project_id)
-        )
-        project = result.scalar_one_or_none()
+        project = await get_owned_project(db, project_id, user_id)
        if not project:
-            yield await tracker.error("项目不存在", 404)
+            yield await tracker.error("项目不存在或无权访问", 404)
            return
        
        # 设置用户信息以启用MCP
@@ -599,12 +608,9 @@ async def characters_generator(
        
        # 验证项目
        yield await tracker.loading("验证项目...", 0.3)
-        result = await db.execute(
-            select(Project).where(Project.id == project_id)
-        )
-        project = result.scalar_one_or_none()
+        project = await get_owned_project(db, project_id, user_id)
        if not project:
-            yield await tracker.error("项目不存在", 404)
+            yield await tracker.error("项目不存在或无权访问", 404)
            return
        
        project.wizard_step = 2
@@ -1270,12 +1276,9 @@ async def outline_generator(
        
        # 获取项目信息
        yield await tracker.loading("加载项目信息...", 0.3)
-        result = await db.execute(
-            select(Project).where(Project.id == project_id)
-        )
-        project = result.scalar_one_or_none()
+        project = await get_owned_project(db, project_id, user_id)
        if not project:
-            yield await tracker.error("项目不存在", 404)
+            yield await tracker.error("项目不存在或无权访问", 404)
            return
        
        # 获取角色信息
@@ -1551,12 +1554,9 @@ async def world_building_regenerate_generator(
        
        # 获取项目信息
        yield await tracker.loading("加载项目信息...")
-        result = await db.execute(
-            select(Project).where(Project.id == project_id)
-        )
-        project = result.scalar_one_or_none()
+        project = await get_owned_project(db, project_id, user_id)
        if not project:
-            yield await tracker.error("项目不存在", 404)
+            yield await tracker.error("项目不存在或无权访问", 404)
            return
        
        # 提取参数