40 lines
1.2 KiB
Markdown
40 lines
1.2 KiB
Markdown
|
|
# Changelog — 外网攻击面安全巡检(E1–E6)
|
|||
|
|
|
|||
|
|
**日期**:2026-06-06
|
|||
|
|
|
|||
|
|
## 摘要
|
|||
|
|
|
|||
|
|
对生产 `api.synaglobal.vip` 执行无凭证外网攻击面巡检:新增黑盒脚本、三份报告与加固 backlog;**无应用代码加固**(audit_only)。
|
|||
|
|
|
|||
|
|
## 动机
|
|||
|
|
|
|||
|
|
在「已登录管理员可信」前提下,审计无 JWT / 弱认证暴露面,与 B1–B6 鉴权后 API 巡检互补。
|
|||
|
|
|
|||
|
|
## 涉及文件
|
|||
|
|
|
|||
|
|
| 类型 | 路径 |
|
|||
|
|
|------|------|
|
|||
|
|
| 脚本 | `scripts/security_probe_external.sh` |
|
|||
|
|
| 报告 | `docs/reports/2026-06-06-external-attack-probe-production.md` |
|
|||
|
|
| 报告 | `docs/reports/2026-06-06-external-attack-surface-audit.md` |
|
|||
|
|
| Backlog | `docs/reports/2026-06-06-external-attack-hardening-backlog.md` |
|
|||
|
|
|
|||
|
|
## 主要发现(未修复)
|
|||
|
|
|
|||
|
|
- **P2**:`GET /health/detail` 未授权可读组件状态(`PUBLIC_PREFIXES` `/health` 前缀过宽)
|
|||
|
|
- **P2**:`POST /api/settings/bing-wallpapers/sync` 未授权可触发外联下载(同上)
|
|||
|
|
- **H**:OpenAPI/Swagger/ReDoc 公网可访问
|
|||
|
|
- **0 P0/P1**
|
|||
|
|
|
|||
|
|
## 迁移 / 重启
|
|||
|
|
|
|||
|
|
无。仅文档与探测脚本。
|
|||
|
|
|
|||
|
|
## 验证方式
|
|||
|
|
|
|||
|
|
```bash
|
|||
|
|
NEXUS_PROBE_BASE=https://api.synaglobal.vip bash scripts/security_probe_external.sh
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
证据见 `docs/reports/2026-06-06-external-attack-probe-production.md`。
|