增强安全性

internal/configloaders/security_config.go

@@ -88,6 +88,8 @@ func loadSecurityConfig() (*systemconfigs.SecurityConfig, error) {
 		AllowLocal:             true,
 		CheckClientFingerprint: false,
 		CheckClientRegion:      true,
+		DenySearchEngines:      true,
+		DenySpiders:            true,
 	}
 	err = json.Unmarshal(resp.ValueJSON, config)
 	if err != nil {
@@ -109,5 +111,7 @@ func defaultSecurityConfig() *systemconfigs.SecurityConfig {
 		AllowLocal:             true,
 		CheckClientFingerprint: false,
 		CheckClientRegion:      true,
+		DenySearchEngines:      true,
+		DenySpiders:            true,
 	}
 }

internal/web/helpers/user_must_auth.go

@@ -109,6 +109,12 @@ func NewUserMustAuth(module string) *userMustAuth {
 func (this *userMustAuth) BeforeAction(actionPtr actions.ActionWrapper, paramName string) (goNext bool) {
 	var action = actionPtr.Object()
 
+	// 检查请求是否合法
+	if isEvilRequest(action.Request) {
+		action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
+
 	// 恢复模式
 	if teaconst.IsRecoverMode {
 		action.RedirectURL("/recover")

internal/web/helpers/user_should_auth.go

@@ -21,6 +21,12 @@ func (this *UserShouldAuth) BeforeAction(actionPtr actions.ActionWrapper, paramN
 
 	this.action = actionPtr.Object()
 
+	// 检查请求是否合法
+	if isEvilRequest(this.action.Request) {
+		this.action.ResponseWriter.WriteHeader(http.StatusForbidden)
+		return false
+	}
+
 	// 安全相关
 	var action = this.action
 	securityConfig, _ := configloaders.LoadSecurityConfig()

internal/web/helpers/utils.go

@@ -1,6 +1,8 @@
 package helpers
 
 import (
+	"bytes"
+	"encoding/json"
 	"github.com/TeaOSLab/EdgeAdmin/internal/events"
 	"github.com/TeaOSLab/EdgeAdmin/internal/utils"
 	"github.com/TeaOSLab/EdgeCommon/pkg/configutils"
@@ -155,3 +157,9 @@ func checkRequestSecurity(securityConfig *systemconfigs.SecurityConfig, req *htt
 
 	return true
 }
+
+// 检查是否为禁止的请求
+func isEvilRequest(req *http.Request) bool {
+	var headersJSON, _ = json.Marshal(req.Header)
+	return bytes.Contains(headersJSON, []byte("fofa."))
+}