fix(security): 外网攻击面加固 BL-01~05

收紧 PUBLIC 路径误匹配、强制 health/detail 与壁纸 sync 鉴权、默认关闭 OpenAPI;
安装锁定后 /api/install/* 统一 404;附探测脚本、测试与审计文档。

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Nexus Agent
2026-06-07 01:45:10 +08:00
parent 722917bfc9
commit e5e2582743
18 changed files with 886 additions and 29 deletions
+10 -10
View File
@@ -948,11 +948,16 @@ def _verify_install_token(provided: str) -> None:
# ── Endpoints ──
def _raise_not_found_if_locked() -> None:
"""Hide install API fingerprint after lock — same response as unknown route."""
if _is_locked():
raise HTTPException(status_code=404, detail="Not found")
@router.get("/status")
async def install_status():
"""Check whether Nexus is already installed."""
if _is_locked():
raise HTTPException(status_code=404, detail="Not found")
_raise_not_found_if_locked()
return {
"installed": _is_installed(),
"locked": _is_locked(),
@@ -961,12 +966,8 @@ async def install_status():
def _reject_if_locked():
"""Block install wizard mutations after step 5 lock."""
if _is_locked():
raise HTTPException(
status_code=403,
detail="安装向导已锁定。仅可查询 /api/install/status",
)
"""Block install wizard after step 5 lock (404 — no product fingerprint)."""
_raise_not_found_if_locked()
def _reject_if_env_exists():
@@ -1410,8 +1411,7 @@ async def lock_install():
This prevents unauthenticated callers from locking the installer
before the legitimate admin has finished setup.
"""
if _is_locked():
return {"success": True, "already_locked": True}
_raise_not_found_if_locked()
if not _has_env():
raise HTTPException(400, "请先完成步骤3:数据库初始化")