fbf5eadcf2
CRITICAL: - C-1: sync_service.py rsync命令shlex.quote防Shell注入回归 - C-2: agent.py exec端点危险命令正则拦截+compare_digest+僵尸进程修复 - C-3: WebSSH JWT token绑定server_id防IDOR HIGH: - H-1: 所有PUT/POST端点setattr改为字段白名单防任意字段注入 - H-2: settings/assets/scripts端点添加JWT认证 - H-3: refresh_token invalidate-then-generate防并发重放 - H-4: servers.py Redis pipeline解决N+1查询 - H-7: settings API Key/Secret掩码+禁止修改 - H-8: TOTP暴力破解速率限制(5次/5分钟) - H-9: get_optional_admin改用request-scoped session MEDIUM: - M-2: X-Real-IP优先+X-Forwarded-For取末值防IP伪造 - M-4: asyncssh异常信息脱敏(只含server_id) - M-5: 分页limit上限(500/200/500/500) - M-9: API层Redis依赖抽象至dependencies.py - M-10: WebSocket ConnectionManager多worker Redis聚合 - M-13: login_attempts复合索引 - M-14: ServerRepository.get_by_ids批量查询 - M-15: API错误消息统一中文 R3追加: - sysctl命令注入防护+regex验证 - $DB_PASS明文存储→masked_command双命令方案 - MYSQL_PWD环境变量替代-p flag - health端点拆分(公开/需认证) - repo层**kwargs→字段白名单 - 全局str(e)信息泄露修复(API/Telegram/WebSocket) - SSRF私有IP拦截 - Nginx HTTPS配置+DB备份脚本 - 前端CDN SRI哈希+XSS修复 - __import__替换为正常import Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
55 lines
542 B
Plaintext
55 lines
542 B
Plaintext
# Nexus — Python
|
|
__pycache__/
|
|
*.py[cod]
|
|
*$py.class
|
|
*.egg-info/
|
|
dist/
|
|
build/
|
|
.eggs/
|
|
|
|
# Environment (NEVER commit — contains production credentials)
|
|
.env
|
|
SECRETS.md
|
|
*.pem
|
|
.env.*
|
|
.venv/
|
|
venv/
|
|
ENV/
|
|
|
|
# IDE
|
|
.vscode/
|
|
.idea/
|
|
*.swp
|
|
*.swo
|
|
*~
|
|
|
|
# OS
|
|
.DS_Store
|
|
Thumbs.db
|
|
|
|
# Logs
|
|
*.log
|
|
nexus.log
|
|
|
|
# Test
|
|
.pytest_cache/
|
|
htmlcov/
|
|
.coverage
|
|
coverage.xml
|
|
|
|
# Node (for Tailwind/Alpine.js build)
|
|
node_modules/
|
|
web/css/tailwind-output.css
|
|
|
|
# Uploads
|
|
web/uploads/
|
|
|
|
# Data (sensitive)
|
|
web/data/config.php
|
|
web/data/*.db
|
|
|
|
# Backups
|
|
backups/
|
|
|
|
# Deploy
|
|
deploy/*.key |