Files
Nexus/docs/archive/audits/2026-06-04-delta/audit-delta-2026-06-04-waveD5.md
T
Nexus Deploy 0100ab2582 docs: consolidate archive, SSOT guide, and agent entry stubs
Move line-walk/delta/phase2/frontend audits and legacy memory into
docs/archive/, add functional development SSOT, thin AGENTS/CLAUDE stubs,
and regenerate changelog/audit indexes via consolidate_docs.py.
2026-06-04 23:01:03 +08:00

3.9 KiB
Raw Blame History

Phase 1 Delta 审计 — Wave D5(前端 Files / Terminal

日期: 2026-06-04
范围: files/terminal composablesCode Review 后 delta
标准: standards/line-walk-audit-standard-v2.md 8 步

登记

# 文件 语言 行数 N Read 范围
1 frontend/src/composables/files/useFilesActions.ts TS 609 1609 全文
2 frontend/src/composables/files/useFilesEditor.ts TS 163 1163 全文
3 frontend/src/composables/files/useFilesPermissions.ts TS 101 1101 全文
4 frontend/src/composables/terminal/useTerminalSessions.ts TS 749 1749 全文
5 frontend/src/composables/terminal/useTerminalCmdBar.ts TS 108 1108 全文

关联: types.tssanitizeRemotePath4043)已纳入 terminal 路径 H 判定。

Step 3 — 规则扫描 H(摘要)

文件 H 命中
useFilesActions.ts H-Auth, H-Path, H-Delete, H-Upload
useFilesEditor.ts H-Auth, H-Size
useFilesPermissions.ts H-Auth, H-Sudo
useTerminalSessions.ts H-Auth, H-WS, H-Path, H-Cmd
useTerminalCmdBar.ts H-Storage, H-Cmd

入口表(前端 → API / WS

调用方 方法 路径 鉴权
useFilesActions POST /sync/file-ops, /sync/write-file, /sync/chmod, /sync/compress, /sync/decompress, /sync/upload, /sync/download http JWT
useFilesEditor readRemoteFileContent /sync/read-file http JWT
useFilesPermissions GET/POST /servers/{id}/files-capability, setup-files-sudo http JWT
useTerminalSessions POST /auth/webssh-token http JWT
useTerminalSessions WS /ws/terminal/{id}?token= purpose=webssh JWT
useTerminalCmdBar WS DATA sendWsData 同上

Closure 表

H 文件:行号 判定 理由
H-Auth useFilesActions.ts:255-494 SAFE 全部经 @/api JWT
H-Path useFilesActions.ts:297-301,461-464 SAFE validatePathSegment 拦截 / ..
H-Path useFilesActions.ts:340-347 RISK rename 未调 validatePathSegment;后端 sync_v2 校验
H-Path useFilesActions.ts:71-78,119 SAFE normalizeRemotePath / joinRemotePath
H-Delete useFilesActions.ts:393-414 SAFE confirm + 逐条 delete;失败计数
H-Upload useFilesActions.ts:486-494 SAFE server_id + remote_path 参数化 POST
H-Auth useFilesEditor.ts:94-98 SAFE readRemoteFileContent + server_id
H-Size useFilesEditor.ts:63-70 SAFE 2MB 编辑上限 FILE_EDITOR_MAX_BYTES
H-Auth useFilesPermissions.ts:65-78 SAFE JWT GET/POST
H-Sudo useFilesPermissions.ts:73-91 SAFE 一键 sudo 走后端 re-auth+SSH;无密码回传
H-Storage useFilesPermissions.ts:56 SAFE sessionStorage 仅 hint dismissed 标记
H-Auth useTerminalSessions.ts:279-281 SAFE webssh-token 绑定 server_id
H-WS useTerminalSessions.ts:293-294 RISK query token;单人运维已接受
H-WS useTerminalSessions.ts:350-363 SAFE 4001/4003 分支处理
H-Path useTerminalSessions.ts:159-163,513,578 RISK sanitizeRemotePath 未拦 `;
H-Cmd useTerminalSessions.ts:648-655 SAFE 快捷命令来自 API/内置白名单
H-Cmd useTerminalCmdBar.ts:21-34 SAFE 命令经 WS DATA;后端 dangerous check
H-Storage useTerminalCmdBar.ts:7-33 RISK localStorage 存命令历史(非密码);UX 便利
H-Secret 五文件 SAFE 无 password/api_key 存 localStorage

len(H)=18, Closure=18

FINDING

无 P0/P1 新 FINDING。

可选后续(P2/UX):rename 前端补 validatePathSegmentsanitizeRemotePath 收紧或 cd 改用引号包裹。

DoD

  • len(H) == Closure
  • 五文件全文 Read(大文件分段至 EOF)
  • 无 v-html / 凭据明文存储

验证

bash scripts/local_verify.sh — 全绿