安全加固、新功能、Bug 修复与代码质量改进#187
Merged
Merged
Conversation
- 升级 Vert.x 4.5.24 → 4.5.27, postgresql 42.7.3 → 42.7.11, logback 1.5.18 → 1.5.32, axios 1.13.5 → 1.16.1 - 修复 JWT 签名验证和密码比较的时序攻击漏洞 (MessageDigest.isEqual) - 修复 AESUtils 使用不安全 Random 改为 SecureRandom - 修复登录用户枚举和异常信息泄露,统一错误提示 - 修复 RateLimiter count++ 非原子操作 (AtomicInteger) - 修复 JsParserExecutor DCL 模式缺少 volatile - 修复 Token 日志泄露,仅打印前8字符 - 修复 Playground 密码时序攻击和堆栈泄露 - 所有 window.open 添加 noopener,noreferrer - LocalConstant 改用 ConcurrentHashMap 保证线程安全 - Dockerfile 添加非 root 用户运行,secret.yml 加入 .gitignore
- QQscTool: 支持多文件和目录解析,通过 GetFileList API 实现递归目录导航 - Home: 从粘贴文本中自动提取分享链接 - DirectoryTree: 目录浏览添加复制直链按钮 - domainName 改为可选,未配置时自动从请求地址推断 - 统一版本号管理,GitHub URL 构建时自动从 git remote origin 识别 - vue.config.js 添加前端构建配置,sync-version.js 构建时同步版本号
- 修复 12 处 NPE 风险: FjTool/FsTool/IzTool/LzTool/MkwTool/P115Tool/PdbTool/QQTool/ParserCreate/CommonUtils/ShareLinkInfo/URLParamUtil - 修复 4 处 Vert.x 资源泄漏: 测试类中 Vertx 实例未关闭 - 修复 CacheManager 防重入和 registerPeriodicCleanup 就绪检查 - 修复 ParserApi 中 redirectUrl()/viewUrl() Promise 未 complete - 修复 CacheManager.updateTotalByField Promise 永不完成 - 修复 AppMain ShutdownHook 注册,确保 Vert.x 先于 JDBCPoolInit 关闭 - 修复 RouterHandlerFactory failureHandler 恢复返回 failure message - 修复 ParserCreate/LzTool 收窄 catch 异常类型 - 修复 IzTool/FjTool/IzToolWithAuth 并发安全 (volatile + header 副本) - 修复 P115Tool UA 为 null 时的 NPE,添加默认 User-Agent - Font Awesome CDN 换源为 s4.zstatic.net,避免 bootcdn 投毒风险 - DirectoryTree selectAll 补 parserUrl 检查,Home 组件名 App→Home
- run.sh 改用 exec 直接运行 Java,修复 Docker 中 ShutdownHook 失效 - Dockerfile 预创建 db 和 logs 目录,添加非 root 用户运行 - Docker entrypoint 以 root 运行再降权,解决 volume 权限问题 - EXPOSE 改为仅 6401,entrypoint 添加 -Duser.timezone
- 替换 System.out.println/printStackTrace 为 Logger: MkgsTool, PodTool, WsTool, IpExtractor, ReqIpUtil, LogStatistics - JsPlaygroundLogger 日志列表限制最大 1000 条防止内存泄漏 - JsScriptLoader JarFile 改用 try-with-resources 防止文件句柄泄漏 - DbServiceImpl Thread.sleep 改为 vertx.setTimer 避免阻塞 event loop - 删除未使用的 api.js,删除空的 ParserApiClientLinkTest - 移除前端未使用的导入和死代码 (downloaderService, monacoTypes) - 提取 previewBaseUrl 到 constants.js 常量文件
Owner
|
待review |
There was a problem hiding this comment.
Pull request overview
This PR broadly hardens the netdisk-fast-download service across Java backend, parser modules, frontend UX, and Docker runtime while adding QQ 闪传 directory support and dynamic link generation when domainName is not configured.
Changes:
- Upgrades dependencies and improves security around password/JWT comparison, logging, random generation, token exposure, and browser
window.openusage. - Adds request-origin-based link generation, QQ 闪传 multi-file/directory parsing, frontend link extraction/copy UX, and version/repository metadata injection.
- Improves runtime/resource handling in Docker, Vert.x/config startup paths, cache cleanup, JS parser logging, and tests.
Reviewed changes
Copilot reviewed 77 out of 79 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
.gitignore |
Ignores secret.yml. |
Dockerfile |
Adds app user setup, entrypoint, directory creation, and exposes only 6401. |
README.md |
Updates badges and release download version. |
bin/run.sh |
Runs Java via exec for signal handling. |
core-database/pom.xml |
Upgrades PostgreSQL JDBC driver. |
core-database/src/main/java/cn/qaiu/db/ddl/CreateDatabase.java |
Replaces stack trace printing with logging. |
core-database/src/main/java/cn/qaiu/db/ddl/CreateTable.java |
Makes SQL type mappings immutable and constants final. |
core/src/main/java/cn/qaiu/vx/core/Deploy.java |
Adds fallback loading from resources/. |
core/src/main/java/cn/qaiu/vx/core/handlerfactory/RouterHandlerFactory.java |
Updates route error logging and 404 handling. |
core/src/main/java/cn/qaiu/vx/core/util/CommonUtil.java |
Replaces stack trace printing with logging. |
core/src/main/java/cn/qaiu/vx/core/util/ConfigUtil.java |
Adds resources/ fallback config loading. |
core/src/main/java/cn/qaiu/vx/core/util/LocalConstant.java |
Uses ConcurrentHashMap and putIfAbsent. |
core/src/main/java/cn/qaiu/vx/core/util/ReflectionUtil.java |
Replaces stack trace printing with structured logging. |
core/src/main/java/cn/qaiu/vx/core/verticle/HttpProxyVerticle.java |
Improves proxy error logging. |
core/src/main/java/cn/qaiu/vx/core/verticle/RouterVerticle.java |
Defers router creation to verticle startup. |
docker-entrypoint.sh |
Adds volume permission fixup and Java entrypoint execution. |
parser/README.md |
Updates parser module version docs. |
parser/doc/CUSTOM_PARSER_GUIDE.md |
Updates parser dependency version. |
parser/doc/CUSTOM_PARSER_QUICKSTART.md |
Updates parser dependency version. |
parser/pom.xml |
Inherits parser version and derives SCM metadata from git remote. |
parser/src/main/java/cn/qaiu/entity/ShareLinkInfo.java |
Avoids NPE when building p115 cache keys without UA. |
parser/src/main/java/cn/qaiu/parser/ParserCreate.java |
Narrows ignored exception types while normalizing links. |
parser/src/main/java/cn/qaiu/parser/customjs/JsHttpClient.java |
Replaces stack trace printing with logging. |
parser/src/main/java/cn/qaiu/parser/customjs/JsParserExecutor.java |
Marks shared executor volatile. |
parser/src/main/java/cn/qaiu/parser/customjs/JsPlaygroundExecutor.java |
Replaces console output with debug logging. |
parser/src/main/java/cn/qaiu/parser/customjs/JsPlaygroundLogger.java |
Caps collected logs and uses SLF4J logging. |
parser/src/main/java/cn/qaiu/parser/customjs/JsScriptLoader.java |
Uses try-with-resources for JarFile. |
parser/src/main/java/cn/qaiu/parser/impl/FjTool.java |
Improves token/header concurrency and null handling. |
parser/src/main/java/cn/qaiu/parser/impl/FsTool.java |
Adds missing paramJson validation and narrows decode exceptions. |
parser/src/main/java/cn/qaiu/parser/impl/IzTool.java |
Improves token visibility/logging and UUID null handling. |
parser/src/main/java/cn/qaiu/parser/impl/IzToolWithAuth.java |
Mirrors Iz token/logging and UUID null-safety changes. |
parser/src/main/java/cn/qaiu/parser/impl/LzTool.java |
Improves logging, exception narrowing, and method naming. |
parser/src/main/java/cn/qaiu/parser/impl/MkgsTool.java |
Replaces console output with debug logging. |
parser/src/main/java/cn/qaiu/parser/impl/MkwTool.java |
Adds cookie null check and structured logging. |
parser/src/main/java/cn/qaiu/parser/impl/P115Tool.java |
Adds default UA fallback. |
parser/src/main/java/cn/qaiu/parser/impl/PdbTool.java |
Replaces stack trace printing with logging. |
parser/src/main/java/cn/qaiu/parser/impl/PodTool.java |
Reduces token exposure and console logging. |
parser/src/main/java/cn/qaiu/parser/impl/QQTool.java |
Replaces console output with debug logging. |
parser/src/main/java/cn/qaiu/parser/impl/QQscTool.java |
Reworks QQ 闪传 parsing for file lists and direct links. |
parser/src/main/java/cn/qaiu/parser/impl/WsTool.java |
Replaces debug console output with logging. |
parser/src/main/java/cn/qaiu/util/AESUtils.java |
Uses SecureRandom for random string generation. |
parser/src/main/java/cn/qaiu/util/CommonUtils.java |
Handles URLs with empty query strings. |
parser/src/main/java/cn/qaiu/util/IpExtractor.java |
Replaces console output with logging. |
parser/src/main/java/cn/qaiu/util/ReqIpUtil.java |
Makes constants final and uses logging. |
parser/src/main/java/cn/qaiu/util/URLUtil.java |
Replaces stack trace printing with logging. |
parser/src/test/java/cn/qaiu/parser/BaiduPhotoParserTest.java |
Adds Vert.x setup/teardown lifecycle hooks. |
parser/src/test/java/cn/qaiu/parser/JsParserTest.java |
Adds Vert.x setup/teardown lifecycle hooks. |
parser/src/test/java/cn/qaiu/parser/customjs/JsFetchBridgeTest.java |
Adds Vert.x setup/teardown lifecycle hooks. |
pom.xml |
Upgrades Vert.x/logback and centralizes parser version. |
web-front/package.json |
Adds version sync to build and upgrades axios. |
web-front/public/index.html |
Changes Font Awesome CDN. |
web-front/scripts/sync-version.js |
Adds package version sync from root Maven revision. |
web-front/src/components/DarkMode.vue |
Removes console logging. |
web-front/src/components/DirectoryTree.vue |
Adds direct-link copy action and improves directory errors. |
web-front/src/utils/api.js |
Removes unused axios wrapper. |
web-front/src/utils/constants.js |
Adds shared preview URL constant. |
web-front/src/utils/downloaderService.js |
Removes Thunder debug logging. |
web-front/src/utils/monacoTypes.js |
Removes cache/debug console logging. |
web-front/src/views/ClientLinks.vue |
Removes dead client-download helpers and hardens window.open. |
web-front/src/views/Home.vue |
Adds dynamic repo/version display, paste link extraction, and cleanup. |
web-front/src/views/Playground.vue |
Uses injected repo URL, cleans logging, and disconnects observer. |
web-front/src/views/ShowFile.vue |
Uses shared preview constant and backend error messages. |
web-front/src/views/ShowList.vue |
Displays backend directory parse errors. |
web-front/vue.config.js |
Injects project version and GitHub repo URL at build time. |
web-service/src/main/java/cn/qaiu/lz/AppMain.java |
Adds shutdown hook and fallback startup address. |
web-service/src/main/java/cn/qaiu/lz/common/cache/CacheManager.java |
Improves cache logging, failure propagation, and cleanup registration. |
web-service/src/main/java/cn/qaiu/lz/common/interceptorImpl/LogStatistics.java |
Replaces stack trace printing with logging. |
web-service/src/main/java/cn/qaiu/lz/common/interceptorImpl/RateLimiter.java |
Uses AtomicInteger for request counts. |
web-service/src/main/java/cn/qaiu/lz/common/util/JwtUtil.java |
Uses constant-time JWT signature comparison. |
web-service/src/main/java/cn/qaiu/lz/common/util/PasswordUtil.java |
Uses constant-time password hash comparison. |
web-service/src/main/java/cn/qaiu/lz/common/util/URLParamUtil.java |
Falls back to request origin when domainName is blank. |
web-service/src/main/java/cn/qaiu/lz/web/controller/ParserApi.java |
Propagates request origin and fixes redirect/view futures. |
web-service/src/main/java/cn/qaiu/lz/web/controller/PlaygroundApi.java |
Hardens login comparison and removes stack traces from responses. |
web-service/src/main/java/cn/qaiu/lz/web/controller/ServerApi.java |
Adds request-origin propagation for short API paths. |
web-service/src/main/java/cn/qaiu/lz/web/service/impl/CacheServiceImpl.java |
Replaces stack trace callbacks with structured logging. |
web-service/src/main/java/cn/qaiu/lz/web/service/impl/DbServiceImpl.java |
Replaces blocking sleep with Vert.x timer. |
web-service/src/main/java/cn/qaiu/lz/web/service/impl/UserServiceImpl.java |
Normalizes auth/login failure messages. |
web-service/src/main/resources/app-dev.yml |
Makes domainName optional in dev config. |
web-service/src/test/java/cn/qaiu/lz/web/controller/ParserApiClientLinkTest.java |
Removes empty test placeholder. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # Run Java directly - entrypoint is PID 1, exec makes Java PID 1 | ||
| # Docker SIGTERM goes directly to Java, triggering ShutdownHook | ||
| exec java -Xmx${JVM_XMX:-512M} ${JVM_OPTS} -Duser.timezone=${TZ:-Asia/Shanghai} -jar /app/netdisk-fast-download.jar |
| .put("sort_order", 0))))) | ||
| .put("support_folder_status", true); | ||
|
|
||
| MultiMap headers = GET_FILE_LIST_HEADERS.set("Referer", shareLinkInfo.getShareUrl()); |
| */ | ||
| private static volatile boolean cleanupRegistered = false; | ||
|
|
||
| public static void registerPeriodicCleanup() { |
Comment on lines
+39
to
+40
| // 先注册 ShutdownHook(JVM 逆序执行,先注册的后执行) | ||
| // 确保关闭顺序:Vert.x -> JDBCPoolInit -> JsParserExecutor |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概要
本次 PR 包含安全加固、新功能、Bug 修复、Docker 优化和代码质量改进,共涉及 79 个文件。
安全漏洞修复与依赖升级
window.open添加noopener,noreferrer新功能
Bug 修复
Docker 优化
代码质量