fix: 安全漏洞修复 — CLI密码泄露 + margin上限 + 路径检查 + CSP/限速

CRITICAL: - CLI --password 未提供时自动从 QRGEN_WIFI_PASSWORD 环境变量读取避免密码出现在 ps aux / /proc/pid/cmdline 进程列表中 HIGH: - unsafe from_utf8_unchecked SAFETY 注释增强, 详细解释为何有效 - CLI --margin 添加 value_parser range(0..=100), 防止 u8=255 导致内存爆炸 - Web CORS permissive 添加注释说明公开 API 设计理由 - GUI FS 权限收紧: 写权限从 /c/Users/33644/** 限制为 Downloads/Documents/Desktop/AppData MEDIUM: - 新增 QrError::InvalidEcLevel(String), 不再复用 InvalidVersion(0) - --logo/--batch/--output_dir 均添加 check_path() 路径遍历检查 - Web 添加 tower::limit::ConcurrencyLimitLayer(10) 并发限制防 CPU 耗尽 - decode_image 添加 4096x4096 图片尺寸上限防解压炸弹 LOW: - Web 添加 Content-Security-Policy 响应头
2026-06-21 16:09:08 +08:00
parent bd4ca718ac
commit b053272825
10 changed files with 68 additions and 12 deletions
@@ -1 +1 @@
-{"default":{"identifier":"default","description":"QRGen 默认权限","local":true,"windows":["main"],"permissions":["core:default","store:default","dialog:default","clipboard-manager:default",{"identifier":"fs:allow-write-file","allow":[{"path":"$HOME/**"}]},{"identifier":"fs:allow-read-file","allow":[{"path":"$HOME/**"},{"path":"$TEMP/**"}]}]}}
+{"default":{"identifier":"default","description":"QRGen 默认权限 — 最小权限原则","local":true,"windows":["main"],"permissions":["core:default","store:default","dialog:default","clipboard-manager:default",{"identifier":"fs:allow-write-file","allow":[{"path":"$HOME/Downloads/**"},{"path":"$HOME/Documents/**"},{"path":"$HOME/Desktop/**"},{"path":"$APPDATA/**"}]},{"identifier":"fs:allow-read-file","allow":[{"path":"$HOME/Downloads/**"},{"path":"$HOME/Documents/**"},{"path":"$HOME/Desktop/**"},{"path":"$HOME/Pictures/**"},{"path":"$APPDATA/**"},{"path":"$TEMP/**"}]}]}}