Files
Nexus/docs/changelog/2026-06-06-external-attack-surface-audit.md
2026-07-08 22:31:31 +08:00

40 lines
1.2 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Changelog — 外网攻击面安全巡检(E1–E6)
**日期**2026-06-06
## 摘要
对生产 `api.synaglobal.vip` 执行无凭证外网攻击面巡检:新增黑盒脚本、三份报告与加固 backlog;**无应用代码加固**audit_only)。
## 动机
在「已登录管理员可信」前提下,审计无 JWT / 弱认证暴露面,与 B1–B6 鉴权后 API 巡检互补。
## 涉及文件
| 类型 | 路径 |
|------|------|
| 脚本 | `scripts/security_probe_external.sh` |
| 报告 | `docs/reports/2026-06-06-external-attack-probe-production.md` |
| 报告 | `docs/reports/2026-06-06-external-attack-surface-audit.md` |
| Backlog | `docs/reports/2026-06-06-external-attack-hardening-backlog.md` |
## 主要发现(未修复)
- **P2**`GET /health/detail` 未授权可读组件状态(`PUBLIC_PREFIXES` `/health` 前缀过宽)
- **P2**`POST /api/settings/bing-wallpapers/sync` 未授权可触发外联下载(同上)
- **H**OpenAPI/Swagger/ReDoc 公网可访问
- **0 P0/P1**
## 迁移 / 重启
无。仅文档与探测脚本。
## 验证方式
```bash
NEXUS_PROBE_BASE=https://api.synaglobal.vip bash scripts/security_probe_external.sh
```
证据见 `docs/reports/2026-06-06-external-attack-probe-production.md`