fix: 代码审查修复 — 安全、性能和正确性
- triggersApi: 添加 assertSubscriptionBaseUrl 防止 OAuth token 泄露 - claude.ts: 修复流式响应 O(n^2) 字符串拼接,改用数组累积 - claude.ts: 移除未使用的 import,动态 import 改为静态 import - StatusLine: BuiltinStatusLine 仅在 statusLineEnabled 时显示,修复双行问题 - local-vault: 修复 --reveal 标志位置解析 bug - share: 修复 sk-proj-* OpenAI 密钥未脱敏问题 - store.ts: 临时文件改用同目录创建,避免跨文件系统 rename 失败 - store.ts: 添加空字符串 key 校验 - permissionValidation: 端口正则限制为有效 TCP 范围 0-65535 - 测试 mock 补全: schedule/vault/skill-store 测试文件 - 移除过期的 biome-ignore 注释 Co-Authored-By: glm-5-turbo <zai-org@claude-code-best.win>
This commit is contained in:
parent
8485589ca7
commit
fe9da6e5b9
|
|
@ -52,6 +52,14 @@ describe('parseLocalVaultArgs', () => {
|
|||
})
|
||||
})
|
||||
|
||||
test('get with --reveal before key → reveal=true, key correctly resolved', () => {
|
||||
expect(parseLocalVaultArgs('get --reveal MY_KEY')).toEqual({
|
||||
action: 'get',
|
||||
key: 'MY_KEY',
|
||||
reveal: true,
|
||||
})
|
||||
})
|
||||
|
||||
test('get without key → invalid', () => {
|
||||
const result = parseLocalVaultArgs('get')
|
||||
expect(result.action).toBe('invalid')
|
||||
|
|
|
|||
|
|
@ -89,7 +89,11 @@ export function parseLocalVaultArgs(args: string): LocalVaultArgs {
|
|||
|
||||
// ── get ───────────────────────────────────────────────────────────────────
|
||||
if (subCmd === 'get') {
|
||||
const key = tokens[1]
|
||||
// Strip flags before extracting the key so that `get --reveal MY_KEY`
|
||||
// correctly resolves MY_KEY as the key rather than --reveal.
|
||||
const flags = ['--reveal']
|
||||
const argsWithoutFlags = tokens.filter(t => !flags.includes(t))
|
||||
const key = argsWithoutFlags[1] // argsWithoutFlags[0] is 'get'
|
||||
if (!key) {
|
||||
return { action: 'invalid', reason: `get requires a key name. ${USAGE}` }
|
||||
}
|
||||
|
|
|
|||
|
|
@ -57,7 +57,7 @@ const SECRET_PATTERNS: Array<{ pattern: RegExp; replacement: string }> = [
|
|||
replacement: '[REDACTED_ANTHROPIC_KEY]',
|
||||
},
|
||||
{
|
||||
pattern: /\b(sk-[A-Za-z0-9]{20,})/g,
|
||||
pattern: /\b(sk-[A-Za-z0-9_-]{20,})/g,
|
||||
replacement: '[REDACTED_API_KEY]',
|
||||
},
|
||||
// Bearer / Authorization tokens
|
||||
|
|
|
|||
|
|
@ -315,7 +315,7 @@ export function validatePermissionRule(
|
|||
parsed.toolName === 'VaultHttpFetch' &&
|
||||
behavior === 'deny' &&
|
||||
parsed.ruleContent !== undefined &&
|
||||
!/^[A-Za-z0-9._-]{1,128}@(?:\*|(?:\[[A-Fa-f0-9:]+\]|[A-Za-z0-9.-]{1,253})(?::\d{1,5})?)$/.test(
|
||||
!/^[A-Za-z0-9._-]{1,128}@(?:\*|(?:\[[A-Fa-f0-9:]+\]|[A-Za-z0-9.-]{1,253})(?::(?:[1-9]\d{0,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]))?)$/.test(
|
||||
parsed.ruleContent,
|
||||
)
|
||||
) {
|
||||
|
|
@ -367,7 +367,7 @@ export function validatePermissionRule(
|
|||
if (
|
||||
parsed.toolName === 'VaultHttpFetch' &&
|
||||
parsed.ruleContent !== undefined &&
|
||||
!/^[A-Za-z0-9._-]{1,128}@(?:\*|(?:\[[A-Fa-f0-9:]+\]|[A-Za-z0-9.-]{1,253})(?::\d{1,5})?)$/.test(
|
||||
!/^[A-Za-z0-9._-]{1,128}@(?:\*|(?:\[[A-Fa-f0-9:]+\]|[A-Za-z0-9.-]{1,253})(?::(?:[1-9]\d{0,3}|[1-5]\d{4}|6[0-4]\d{3}|65[0-4]\d{2}|655[0-2]\d|6553[0-5]))?)$/.test(
|
||||
parsed.ruleContent,
|
||||
)
|
||||
) {
|
||||
|
|
|
|||
Loading…
Reference in New Issue
Block a user