feat: 优化安全入口

tnb-labs · Oct 25, 2023 · 63865ff · 63865ff
1 parent 1b75b3a
commit 63865ff
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 7 deletions.
diff --git a/app/http/controllers/setting_controller.go b/app/http/controllers/setting_controller.go
@@ -1,6 +1,8 @@
 package controllers
 
 import (
+	"regexp"
+
 	"github.com/goravel/framework/contracts/http"
 	"github.com/goravel/framework/facades"
 	"panel/pkg/tools"
@@ -70,6 +72,10 @@ func (r *SettingController) Save(ctx http.Context) http.Response {
 	email := ctx.Request().Input("email")
 	password := ctx.Request().Input("password")
 
+	if regexp.MustCompile(`^/[^/]*[^/]$`).MatchString(entrance) == false {
+		return Error(ctx, http.StatusUnprocessableEntity, "入口格式错误")
+	}
+
 	err := r.setting.Set(models.SettingKeyName, name)
 	if err != nil {
 		facades.Log().Error("[面板][SettingController] 保存设置失败 ", err)

diff --git a/app/http/middleware/static.go b/app/http/middleware/static.go
@@ -1,17 +1,30 @@
 package middleware
 
 import (
+	"fmt"
+
 	"github.com/gin-contrib/static"
-	contractshttp "github.com/goravel/framework/contracts/http"
+	"github.com/goravel/framework/contracts/http"
 	"github.com/goravel/gin"
 
 	"panel/app/services"
 )
 
-func Static() contractshttp.Middleware {
-	return func(ctx contractshttp.Context) {
-		static.Serve(services.NewSettingImpl().Get("entrance", "/"), static.LocalFile("/www/panel/public", false))(ctx.(*gin.Context).Instance())
+func Static() http.Middleware {
+	return func(ctx http.Context) {
+		// 自动纠正 URL 格式
+		if ctx.Request().Path() == services.NewSettingImpl().Get("entrance", "/") && ctx.Request().Path() != "/" {
+			// ctx.Response().Redirect(http.StatusFound, ctx.Request().Path()+"/")
+			ctx.Response().Writer().WriteHeader(http.StatusFound)
+			_, err := ctx.Response().Writer().Write([]byte(fmt.Sprintf(`<html><head><meta http-equiv="refresh" content="0;url=%s/"></head></html>`, ctx.Request().Path())))
+			if err != nil {
+				return
+			}
+			ctx.Response().Flush()
+			return
+		}
 
+		static.Serve(services.NewSettingImpl().Get("entrance", "/"), static.LocalFile("public", false))(ctx.(*gin.Context).Instance())
 		ctx.Request().Next()
 	}
 }
diff --git a/routes/api.go b/routes/api.go
@@ -10,7 +10,7 @@ import (
 )
 
 func Api() {
-	facades.Route().StaticFile("favicon.ico", "/www/panel/public/favicon.ico")
+	facades.Route().StaticFile("favicon.ico", "public/favicon.ico")
 	facades.Route().Prefix("api/panel").Group(func(r route.Router) {
 		r.Prefix("info").Group(func(r route.Router) {
 			infoController := controllers.NewInfoController()
@@ -110,14 +110,14 @@ func Api() {
 	})
 
 	facades.Route().Fallback(func(ctx http.Context) http.Response {
-		return ctx.Response().String(404, `<html>
+		return ctx.Response().Data(http.StatusNotFound, "text/html; charset=utf-8", []byte(`<html>
 <head><title>404 Not Found</title></head>
 <body>
 <center><h1>404 Not Found</h1></center>
 <hr><center>openresty</center>
 </body>
 </html>
 
-`)
+`))
 	})
 }