fix: 安全漏洞修复 — CLI密码泄露 + margin上限 + 路径检查 + CSP/限速

CRITICAL: - CLI --password 未提供时自动从 QRGEN_WIFI_PASSWORD 环境变量读取避免密码出现在 ps aux / /proc/pid/cmdline 进程列表中 HIGH: - unsafe from_utf8_unchecked SAFETY 注释增强, 详细解释为何有效 - CLI --margin 添加 value_parser range(0..=100), 防止 u8=255 导致内存爆炸 - Web CORS permissive 添加注释说明公开 API 设计理由 - GUI FS 权限收紧: 写权限从 /c/Users/33644/** 限制为 Downloads/Documents/Desktop/AppData MEDIUM: - 新增 QrError::InvalidEcLevel(String), 不再复用 InvalidVersion(0) - --logo/--batch/--output_dir 均添加 check_path() 路径遍历检查 - Web 添加 tower::limit::ConcurrencyLimitLayer(10) 并发限制防 CPU 耗尽 - decode_image 添加 4096x4096 图片尺寸上限防解压炸弹 LOW: - Web 添加 Content-Security-Policy 响应头
2026-06-21 16:09:08 +08:00
parent bd4ca718ac
commit b053272825
10 changed files with 68 additions and 12 deletions
@@ -3332,6 +3332,7 @@ dependencies = [
 "serde",
 "serde_json",
 "tokio",
 "tower",
 "tower-http",
 ]
@@ -56,7 +56,7 @@ struct EncodeOpts {
    version: Option<u8>,
    #[arg(short = 's', long, default_value = "4", value_parser = clap::value_parser!(u8).range(1..=20))]
    size: u8,
-    #[arg(short = 'm', long, default_value = "4")]
+    #[arg(short = 'm', long, default_value = "4", value_parser = clap::value_parser!(u8).range(0..=100))]
    margin: u8,
    #[arg(long)] fg: Option<String>,
    #[arg(long)] bg: Option<String>,
@@ -64,7 +64,7 @@ struct EncodeOpts {
    #[arg(short = 'f', long, default_value = "png")]
    format: String,
    #[arg(long)] mode: Option<String>,
-    // WiFi
+    // WiFi — 密码优先从环境变量 QRGEN_WIFI_PASSWORD 读取，避免命令行泄露
    #[arg(long)] ssid: Option<String>,
    #[arg(long)] password: Option<String>,
    #[arg(long, default_value = "WPA")]
@@ -174,12 +174,20 @@ fn cmd_encode(content: &str, output: &Option<String>, opts: &EncodeOpts) -> Resu
    let final_text = if let Some(m) = &opts.mode {
        build_mode(m, opts, &text)?
    } else if let Some(ref bf) = opts.batch {
        check_path(bf)?; // 批量文件路径检查
        if let Some(od) = &opts.output_dir {
            check_path(od)?; // 输出目录路径检查
        }
        return do_batch(bf, opts);
    } else {
        text
    };
    let level: EcLevel = opts.level.parse().map_err(|e: String| anyhow::anyhow!(e))?;
    // --logo 文件路径也需安全检查
    if let Some(logo_path) = &opts.logo {
        check_path(logo_path)?;
    }
    let logo = opts
        .logo
        .as_ref()
@@ -252,9 +260,15 @@ fn build_mode(mode: &str, opts: &EncodeOpts, fb: &str) -> Result<String> {
                .ssid
                .as_deref()
                .ok_or_else(|| anyhow::anyhow!("WiFi 模式需要 --ssid"))?;
            // 密码优先从 --password 读取，未提供时尝试环境变量 QRGEN_WIFI_PASSWORD
            let pwd = opts
                .password
                .as_deref()
                .or_else(|| std::env::var("QRGEN_WIFI_PASSWORD").ok().as_deref())
                .unwrap_or("");
            Ok(text_builder::build_wifi_text(
                s,
-                opts.password.as_deref().unwrap_or(""),
+                pwd,
                &opts.encryption,
                opts.hidden,
            ))
@@ -3,13 +3,24 @@
 //! 提供多遍自适应二值化策略和灰度图加载 API。
 pub use image::GrayImage;
 use image::GenericImageView;
 /// 最大图片尺寸（宽或高），防止解压炸弹（压缩 1MB→解压 10000×10000 像素）
 const MAX_IMAGE_DIMENSION: u32 = 4096;
 /// 从图像字节加载为灰度图（公共 API，供调用方自定义预处理）
 ///
-/// 支持 PNG/JPEG/WebP/BMP 等常见格式。
+/// 支持 PNG/JPEG/WebP/BMP 等常见格式。限制最大尺寸 4096×4096 防止资源耗尽。
 pub fn load_gray(bytes: &[u8]) -> Result<GrayImage, crate::error::QrError> {
    let img = image::load_from_memory(bytes)
        .map_err(|e| crate::error::QrError::DecodeFail(format!("图像解码失败: {e}")))?;
    let (w, h) = img.dimensions();
    if w > MAX_IMAGE_DIMENSION || h > MAX_IMAGE_DIMENSION {
        return Err(crate::error::QrError::DecodeFail(format!(
            "图片过大 ({}×{})，最大支持 {}×{}",
            w, h, MAX_IMAGE_DIMENSION, MAX_IMAGE_DIMENSION
        )));
    }
    Ok(img.to_luma8())
 }
@@ -11,6 +11,8 @@ pub enum QrError {
    EmptyInput,
    /// 无效版本号 (1-40)
    InvalidVersion(u8),
    /// 无效纠错级别
    InvalidEcLevel(String),
    /// 数据过长，超出 QR 码最大容量
    DataTooLong,
    /// 解码失败
@@ -30,6 +32,7 @@ impl fmt::Display for QrError {
        match self {
            QrError::EmptyInput => write!(f, "输入为空"),
            QrError::InvalidVersion(v) => write!(f, "无效版本号 (1-40): {v}"),
            QrError::InvalidEcLevel(s) => write!(f, "无效纠错级别: '{s}'，支持 L/M/Q/H"),
            QrError::DataTooLong => write!(f, "数据过长，超出 QR 码最大容量"),
            QrError::DecodeFail(msg) => write!(f, "解码失败: {msg}"),
            QrError::FormatCorrupted(msg) => write!(f, "格式信息损坏: {msg}"),
@@ -324,7 +324,12 @@ pub(crate) fn parse_hex_color(s: &str) -> Result<[u8; 3], QrError> {
    match hex.len() {
        3 => {
            // #RGB → 每个分量乘以 17 扩展为 #RRGGBB（避免 String 分配）
-            // SAFETY: hex 来自 `s[1..]`，已通过 starts_with('#') 检查，且只含 ASCII hex 字符
+            // SAFETY: hex 来自 `s[1..]`，s 本身是 &str（由函数参数保证），
            // 因此 s 的每个字节都是有效 UTF-8。bytes[0]/[1]/[2] 取自 hex，
            // 是有效 UTF-8 单字节 ASCII hex 字符。将同一有效 ASCII 字节
            // 重复两次构成长度为 2 的字节序列，该序列必然也是有效 UTF-8。
            // 这是因为：ASCII 单字节字符 (0x00-0x7F) 重复任意次，每个字节
            // 都独立是有效的 UTF-8 序列，不依赖相邻字节。
            let bytes = hex.as_bytes();
            let r = u8::from_str_radix(unsafe {
                std::str::from_utf8_unchecked(&[bytes[0], bytes[0]])
@@ -49,7 +49,7 @@ impl FromStr for EcLevel {
            "M" => Ok(EcLevel::M),
            "Q" => Ok(EcLevel::Q),
            "H" => Ok(EcLevel::H),
-            _ => Err(QrError::InvalidVersion(0)), // 复用变体
+            _ => Err(QrError::InvalidEcLevel(s.to_string())),
        }
    }
 }
@@ -1,7 +1,7 @@
 {
  "$schema": "../gen/schemas/desktop-schema.json",
  "identifier": "default",
-  "description": "QRGen 默认权限",
+  "description": "QRGen 默认权限 — 最小权限原则",
  "windows": ["main"],
  "permissions": [
    "core:default",
@@ -10,11 +10,23 @@
    "clipboard-manager:default",
    {
      "identifier": "fs:allow-write-file",
-      "allow": [{ "path": "$HOME/**" }]
+      "allow": [
        { "path": "$HOME/Downloads/**" },
        { "path": "$HOME/Documents/**" },
        { "path": "$HOME/Desktop/**" },
        { "path": "$APPDATA/**" }
      ]
    },
    {
      "identifier": "fs:allow-read-file",
-      "allow": [{ "path": "$HOME/**" }, { "path": "$TEMP/**" }]
+      "allow": [
        { "path": "$HOME/Downloads/**" },
        { "path": "$HOME/Documents/**" },
        { "path": "$HOME/Desktop/**" },
        { "path": "$HOME/Pictures/**" },
        { "path": "$APPDATA/**" },
        { "path": "$TEMP/**" }
      ]
    }
  ]
 }
@@ -1 +1 @@
-{"default":{"identifier":"default","description":"QRGen 默认权限","local":true,"windows":["main"],"permissions":["core:default","store:default","dialog:default","clipboard-manager:default",{"identifier":"fs:allow-write-file","allow":[{"path":"$HOME/**"}]},{"identifier":"fs:allow-read-file","allow":[{"path":"$HOME/**"},{"path":"$TEMP/**"}]}]}}
+{"default":{"identifier":"default","description":"QRGen 默认权限 — 最小权限原则","local":true,"windows":["main"],"permissions":["core:default","store:default","dialog:default","clipboard-manager:default",{"identifier":"fs:allow-write-file","allow":[{"path":"$HOME/Downloads/**"},{"path":"$HOME/Documents/**"},{"path":"$HOME/Desktop/**"},{"path":"$APPDATA/**"}]},{"identifier":"fs:allow-read-file","allow":[{"path":"$HOME/Downloads/**"},{"path":"$HOME/Documents/**"},{"path":"$HOME/Desktop/**"},{"path":"$HOME/Pictures/**"},{"path":"$APPDATA/**"},{"path":"$TEMP/**"}]}]}}
@@ -12,3 +12,4 @@ tokio = { version = "1", features = ["full"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 tower-http = { version = "0.6", features = ["cors", "limit", "set-header"] }
 tower = "0.5"
@@ -174,7 +174,8 @@ async fn main() {
        .route("/api/qr", get(generate_qr_get).post(generate_qr_post))
        .route("/api/decode", post(decode_qr))
        // 安全层
-        .layer(RequestBodyLimitLayer::new(10 * 1024 * 1024)) // 10 MB
+        .layer(RequestBodyLimitLayer::new(10 * 1024 * 1024)) // 10 MB 请求体限制
        // CORS: 公开 API，允许任意来源调用（无 cookie/session，CSRF 不适用）
        .layer(CorsLayer::permissive())
        .layer(SetResponseHeaderLayer::if_not_present(
            header::X_CONTENT_TYPE_OPTIONS,
@@ -187,7 +188,15 @@ async fn main() {
        .layer(SetResponseHeaderLayer::if_not_present(
            header::REFERRER_POLICY,
            header::HeaderValue::from_static("strict-origin-when-cross-origin"),
-        ));
+        ))
        .layer(SetResponseHeaderLayer::if_not_present(
            header::CONTENT_SECURITY_POLICY,
            header::HeaderValue::from_static(
                "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'; img-src 'self' data: blob:",
            ),
        ))
        // 并发限制: 最多 10 个同时编码/解码请求，防止 CPU 耗尽
        .layer(tower::limit::ConcurrencyLimitLayer::new(10));
    let addr = "0.0.0.0:3000";
    println!("QRGen Web → http://{}", addr);
		`@@ -1 +1 @@`
			`{"default":{"identifier":"default","description":"QRGen 默认权限","local":true,"windows":["main"],"permissions":["core:default","store:default","dialog:default","clipboard-manager:default",{"identifier":"fs:allow-write-file","allow":[{"path":"$HOME/"}]},{"identifier":"fs:allow-read-file","allow":[{"path":"$HOME/"},{"path":"$TEMP/**"}]}]}}`				{"default":{"identifier":"default","description":"QRGen 默认权限 — 最小权限原则","local":true,"windows":["main"],"permissions":["core:default","store:default","dialog:default","clipboard-manager:default",{"identifier":"fs:allow-write-file","allow":[{"path":"$HOME/Downloads/"},{"path":"$HOME/Documents/"},{"path":"$HOME/Desktop/"},{"path":"$APPDATA/"}]},{"identifier":"fs:allow-read-file","allow":[{"path":"$HOME/Downloads/"},{"path":"$HOME/Documents/"},{"path":"$HOME/Desktop/"},{"path":"$HOME/Pictures/"},{"path":"$APPDATA/"},{"path":"$TEMP/"}]}]}}