fix(security): 外网攻击面加固 BL-01~05
收紧 PUBLIC 路径误匹配、强制 health/detail 与壁纸 sync 鉴权、默认关闭 OpenAPI; 安装锁定后 /api/install/* 统一 404;附探测脚本、测试与审计文档。 Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
+10
-10
@@ -948,11 +948,16 @@ def _verify_install_token(provided: str) -> None:
|
||||
|
||||
# ── Endpoints ──
|
||||
|
||||
def _raise_not_found_if_locked() -> None:
|
||||
"""Hide install API fingerprint after lock — same response as unknown route."""
|
||||
if _is_locked():
|
||||
raise HTTPException(status_code=404, detail="Not found")
|
||||
|
||||
|
||||
@router.get("/status")
|
||||
async def install_status():
|
||||
"""Check whether Nexus is already installed."""
|
||||
if _is_locked():
|
||||
raise HTTPException(status_code=404, detail="Not found")
|
||||
_raise_not_found_if_locked()
|
||||
return {
|
||||
"installed": _is_installed(),
|
||||
"locked": _is_locked(),
|
||||
@@ -961,12 +966,8 @@ async def install_status():
|
||||
|
||||
|
||||
def _reject_if_locked():
|
||||
"""Block install wizard mutations after step 5 lock."""
|
||||
if _is_locked():
|
||||
raise HTTPException(
|
||||
status_code=403,
|
||||
detail="安装向导已锁定。仅可查询 /api/install/status",
|
||||
)
|
||||
"""Block install wizard after step 5 lock (404 — no product fingerprint)."""
|
||||
_raise_not_found_if_locked()
|
||||
|
||||
|
||||
def _reject_if_env_exists():
|
||||
@@ -1410,8 +1411,7 @@ async def lock_install():
|
||||
This prevents unauthenticated callers from locking the installer
|
||||
before the legitimate admin has finished setup.
|
||||
"""
|
||||
if _is_locked():
|
||||
return {"success": True, "already_locked": True}
|
||||
_raise_not_found_if_locked()
|
||||
if not _has_env():
|
||||
raise HTTPException(400, "请先完成步骤3:数据库初始化")
|
||||
|
||||
|
||||
Reference in New Issue
Block a user