184 lines
6.7 KiB
Markdown
184 lines
6.7 KiB
Markdown
|
|
# Delta D1–D8 合并卷
|
|||
|
|
|
|||
|
|
> 生成日期: 2026-06-04 · 源文件 8 篇 · 原文 `docs/archive/audits/2026-06-04-delta/`
|
|||
|
|
|
|||
|
|
## 批次索引
|
|||
|
|
|
|||
|
|
### `audit-delta-2026-06-04-waveD1.md`
|
|||
|
|
|
|||
|
|
# Phase 1 Delta 审计 — Wave D1(同步/后台)
|
|||
|
|
## 登记
|
|||
|
|
## Step 3 — 规则扫描 H(摘要)
|
|||
|
|
## 入口表(sync_v2.py API)
|
|||
|
|
## Closure 表
|
|||
|
|
**len(H)=19, Closure=19**
|
|||
|
|
## FINDING(本波)
|
|||
|
|
无 P0/P1 新 FINDING。RISK 项与既有运维/单人决策一致,不阻塞。
|
|||
|
|
## DoD
|
|||
|
|
- [x] len(H) == Closure
|
|||
|
|
- [x] FINDING 含行号
|
|||
|
|
## 验证
|
|||
|
|
|
|||
|
|
### `audit-delta-2026-06-04-waveD2.md`
|
|||
|
|
|
|||
|
|
# Phase 1 Delta 审计 — Wave D2(认证 / 安装 / WS / Agent)
|
|||
|
|
## 登记
|
|||
|
|
## 入口表
|
|||
|
|
### install.py
|
|||
|
|
### auth.py
|
|||
|
|
### websocket.py
|
|||
|
|
### agent.py
|
|||
|
|
## Closure 表
|
|||
|
|
**len(H)=22, Closure=22**
|
|||
|
|
## FINDING
|
|||
|
|
无 P0/P1 新 FINDING。RISK:WS query JWT、Agent global key — 见 `docs/project/risk-acceptance-single-operator.md`。
|
|||
|
|
## DoD
|
|||
|
|
|
|||
|
|
### `audit-delta-2026-06-04-waveD3.md`
|
|||
|
|
|
|||
|
|
# Phase 1 Delta 审计 — Wave D3(服务器 / 设置 / 脚本 / WebSSH)
|
|||
|
|
## 登记
|
|||
|
|
## 入口表(摘要)
|
|||
|
|
### webssh.py
|
|||
|
|
### servers.py(主要写操作)
|
|||
|
|
### settings.py
|
|||
|
|
### scripts.py
|
|||
|
|
## Closure 表
|
|||
|
|
**len(H)=24, Closure=24**
|
|||
|
|
## FINDING
|
|||
|
|
无 P0/P1 新 FINDING。
|
|||
|
|
## DoD
|
|||
|
|
|
|||
|
|
### `audit-delta-2026-06-04-waveD4.md`
|
|||
|
|
|
|||
|
|
# Phase 1 Delta 审计 — Wave D4(前端 Push)
|
|||
|
|
## 登记
|
|||
|
|
## Step 3 — 规则扫描 H(摘要)
|
|||
|
|
## 入口表(前端 → API)
|
|||
|
|
## Closure 表
|
|||
|
|
**len(H)=17, Closure=17**
|
|||
|
|
## FINDING
|
|||
|
|
无 P0/P1 新 FINDING。
|
|||
|
|
## DoD
|
|||
|
|
- [x] len(H) == Closure
|
|||
|
|
## 验证
|
|||
|
|
|
|||
|
|
### `audit-delta-2026-06-04-waveD5.md`
|
|||
|
|
|
|||
|
|
# Phase 1 Delta 审计 — Wave D5(前端 Files / Terminal)
|
|||
|
|
## 登记
|
|||
|
|
## Step 3 — 规则扫描 H(摘要)
|
|||
|
|
## 入口表(前端 → API / WS)
|
|||
|
|
## Closure 表
|
|||
|
|
**len(H)=18, Closure=18**
|
|||
|
|
## FINDING
|
|||
|
|
无 P0/P1 新 FINDING。
|
|||
|
|
## DoD
|
|||
|
|
- [x] len(H) == Closure
|
|||
|
|
## 验证
|
|||
|
|
|
|||
|
|
### `audit-delta-2026-06-04-waveD6.md`
|
|||
|
|
|
|||
|
|
# Phase 1 Delta 审计 — Wave D6(认证链 / Login)
|
|||
|
|
## 登记
|
|||
|
|
## Step 3 — 规则扫描 H(摘要)
|
|||
|
|
## 入口表
|
|||
|
|
## Closure 表
|
|||
|
|
**len(H)=19, Closure=19**
|
|||
|
|
## FINDING
|
|||
|
|
无 P0/P1 新 FINDING。
|
|||
|
|
## DoD
|
|||
|
|
- [x] len(H) == Closure
|
|||
|
|
## 验证
|
|||
|
|
|
|||
|
|
### `audit-delta-2026-06-04-waveD7.md`
|
|||
|
|
|
|||
|
|
# Phase 1 Delta 审计 — Wave D7(Deploy / 本地验证脚本)
|
|||
|
|
**标准**: 变更审查(运维/门控;非业务 API 8 步,沿用 Closure 表格式)
|
|||
|
|
## 登记
|
|||
|
|
## Step 3 — 规则扫描 H(摘要)
|
|||
|
|
## 入口表(脚本调用链)
|
|||
|
|
## Closure 表
|
|||
|
|
**len(H)=16, Closure=16**
|
|||
|
|
## FINDING
|
|||
|
|
无 P0/P1 新 FINDING。
|
|||
|
|
## DoD
|
|||
|
|
- [x] len(H) == Closure
|
|||
|
|
## 验证
|
|||
|
|
|
|||
|
|
### `audit-delta-2026-06-04-waveD8-closure.md`
|
|||
|
|
|
|||
|
|
# Phase 1 Delta 审计 — Wave D8(汇总 Closure)
|
|||
|
|
**标准**: Phase 1 收尾 DoD
|
|||
|
|
## 汇总表
|
|||
|
|
| 波次 | 主题 | 文件数 | H | P0/P1 | 报告 |
|
|||
|
|
## 已接受 RISK(跨波重复,不重复开 FINDING)
|
|||
|
|
## Registry 更新
|
|||
|
|
## Step 3 / Closure / DoD
|
|||
|
|
- **len(H) 汇总** = 135,各波 Closure 均已 100% 对齐
|
|||
|
|
- **无 P0/P1** 待修项进入 Phase 2
|
|||
|
|
## 下一步(计划 Phase 2 / L3)
|
|||
|
|
## 验证
|
|||
|
|
|
|||
|
|
## Closure 摘录(合并)
|
|||
|
|
|
|||
|
|
| 1 | `server/api/sync_v2.py` | Python | 1656 | 1–200, 680–1080, 1280–1657 + 全文件 `@router`/grep H |
|
|||
|
|
| 2 | `server/application/services/sync_engine_v2.py` | Python | 552 | 1–552 全文 |
|
|||
|
|
| 3 | `server/background/schedule_runner.py` | Python | 262 | 1–262 全文 |
|
|||
|
|
| 4 | `server/background/retry_runner.py` | Python | 169 | 1–169 全文 |
|
|||
|
|
| 5 | `server/background/heartbeat_flush.py` | Python | 101 | 1–101 全文 |
|
|||
|
|
| H | 文件:行号 | 判定 | 理由 |
|
|||
|
|
| H-Install-lock | install.py:344-350 | SAFE | `_reject_if_locked` 阻断突变 |
|
|||
|
|
| H-Install-token | install.py:314-327 | SAFE | `secrets.compare_digest` 一次性 token |
|
|||
|
|
| H-Install-token | install.py:601 | SAFE | create-admin 必须 token |
|
|||
|
|
| H-Install-SQL | install.py:540-544 | SAFE | 参数化 INSERT settings |
|
|||
|
|
| H-Install-DDL | install.py:489-503 | SAFE | DDL 幂等 except pass |
|
|||
|
|
| H-Install-subprocess | install.py:273-293 | SAFE | crontab/supervisor 固定 argv |
|
|||
|
|
| H-Auth-brute | auth.py:125-138 | SAFE | 429/202 由 AuthService |
|
|||
|
|
| H-Auth-cookie | auth.py:38-54 | SAFE | HttpOnly + Secure(HTTPS) + SameSite=Lax |
|
|||
|
|
| H-Auth-TOTP-IDOR | auth.py:223-259 | SAFE | admin_id 必须等于 JWT sub |
|
|||
|
|
| H-Auth-password | auth.py:288-305 | SAFE | bcrypt + token_version 失效 |
|
|||
|
|
| H-Auth-webssh | auth.py:330-349 | SAFE | 短效 server-bound token |
|
|||
|
|
| H-JWT-middleware | auth_jwt.py:78-146 | SAFE | ASGI 层拦截 /api/* |
|
|||
|
|
| H-JWT-public | auth_jwt.py:38-50 | SAFE | 公开前缀含 agent/install/ws |
|
|||
|
|
| H-JWT-tv | auth_jwt.py:222-226 | SAFE | token_version 精确匹配 |
|
|||
|
|
| H-WS-auth | websocket.py:303-311 | SAFE | 无 token → 4001;无效 → 4401 |
|
|||
|
|
| H-WS-auth | websocket.py:366-407 | SAFE | tv + updated_at 双检 |
|
|||
|
|
| H-WS-ADR011 | websocket.py:9,300 | RISK | JWT 在 query;单人运维已接受 ADR-011 |
|
|||
|
|
| H-Agent-key | agent.py:40-57 | SAFE | compare_digest;handler 二次验 per-server |
|
|||
|
|
| H-Agent-unknown | agent.py:193-199 | SAFE | 未知 server 200 discard,不写入 |
|
|||
|
|
| H-Agent-global | agent.py:84-92 | RISK | legacy global API_KEY;risk-acceptance 文档 |
|
|||
|
|
| H-Agent-callback | agent.py:324-347 | SAFE | rate limit + job secret |
|
|||
|
|
| H-Agent-no-exec | agent.py:378 | SAFE | 控制面无 shell exec |
|
|||
|
|
| POST | `/{id}/install-agent` 等 | JWT + SSH |
|
|||
|
|
| 文件 | H 命中 |
|
|||
|
|
| usePushForm.ts | H-Auth, H-Upload, H-Path |
|
|||
|
|
| usePushPreview.ts | H-Auth, H-Path |
|
|||
|
|
| usePushProgress.ts | H-Auth, H-WS, H-Batch |
|
|||
|
|
| PushZipUpload.vue | H-Upload, H-XSS |
|
|||
|
|
| PushServerGrid.vue | H-XSS |
|
|||
|
|
| useFilesActions.ts | H-Auth, H-Path, H-Delete, H-Upload |
|
|||
|
|
| useFilesEditor.ts | H-Auth, H-Size |
|
|||
|
|
| useFilesPermissions.ts | H-Auth, H-Sudo |
|
|||
|
|
| useTerminalSessions.ts | H-Auth, H-WS, H-Path, H-Cmd |
|
|||
|
|
| useTerminalCmdBar.ts | H-Storage, H-Cmd |
|
|||
|
|
| LoginPage.vue | H-Secret, H-Redirect, H-Lockout, H-XSS |
|
|||
|
|
| auth.ts | H-Token, H-Refresh, H-Profile |
|
|||
|
|
| api/index.ts | H-Auth, H-Refresh, H-401 |
|
|||
|
|
| router/index.ts | H-Guard, H-Redirect |
|
|||
|
|
| wsUrl.ts | H-WS |
|
|||
|
|
| pre_deploy_check.sh | H-Gate, H-Secret, H-Git |
|
|||
|
|
| local_verify.sh | H-Chain |
|
|||
|
|
| local_integration_smoke.sh | H-Health, H-Auth |
|
|||
|
|
| start-dev.sh | H-DevBind, H-Env |
|
|||
|
|
| docker-compose.yml | H-Port, H-DefaultCreds |
|
|||
|
|
| 波次 | 主题 | 文件数 | H | P0/P1 | 报告 |
|
|||
|
|
| D1 | sync/后台 | 5 | 19 | 0 | [waveD1](audit-delta-2026-06-04-waveD1.md) |
|
|||
|
|
| D2 | auth/agent/ws | 5 | 22 | 0 | [waveD2](audit-delta-2026-06-04-waveD2.md) |
|
|||
|
|
| D3 | servers/settings/scripts/webssh | 5 | 24 | 0 | [waveD3](audit-delta-2026-06-04-waveD3.md) |
|
|||
|
|
| D4 | 前端 Push | 5 | 17 | 0 | [waveD4](audit-delta-2026-06-04-waveD4.md) |
|
|||
|
|
| D5 | 前端 Files/Terminal | 5 | 18 | 0 | [waveD5](audit-delta-2026-06-04-waveD5.md) |
|
|||
|
|
| D6 | 认证链 Login | 5 | 19 | 0 | [waveD6](audit-delta-2026-06-04-waveD6.md) |
|
|||
|
|
| D7 | Deploy/本地脚本 | 5 | 16 | 0 | [waveD7](audit-delta-2026-06-04-waveD7.md) |
|
|||
|
|
| **合计** | | **35** | **135** | **0** | |
|