jingrowlocal/jingrow-framework
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

修复函数未通过白名单注册也能被访问的问题

Browse Source
This commit is contained in:
jingrow 2025-10-29 23:25:01 +08:00
parent 2dcad515c0
commit 06b1b443ca
1 changed files with 16 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
apps/jingrow/jingrow/services/whitelist.py
View File

@ -72,27 +72,31 @@ async def _process_whitelist_call(request: Request, full_module_path: str):
# 确保 apps 目录在 sys.path 中(支持跨 app 导入) # 确保 apps 目录在 sys.path 中(支持跨 app 导入)
ensure_apps_on_sys_path() ensure_apps_on_sys_path()
# 解析路径并导入 # 解析路径并导入模块
modulename = ".".join(full_module_path.split('.')[:-1]) modulename = ".".join(full_module_path.split('.')[:-1])
methodname = full_module_path.split('.')[-1] methodname = full_module_path.split('.')[-1]
module = import_module(modulename) module = import_module(modulename)
func = getattr(module, methodname) func = getattr(module, methodname)
# 检查白名单(装饰器注册时使用 func.__module__ # 检查白名单(使用实际导入后的模块名,因为装饰器注册时使用 func.__module__
actual_whitelist_path = f"{module.__name__}.{methodname}" actual_whitelist_path = f"{module.__name__}.{methodname}"
whitelist_info = get_whitelisted_function(actual_whitelist_path) whitelist_info = get_whitelisted_function(actual_whitelist_path)
if whitelist_info: # 如果函数不在白名单中返回404就像路由不存在一样
# 检查 HTTP 方法 if not whitelist_info:
if request.method not in whitelist_info['methods']: logger.debug(f"函数未在白名单中返回404: {actual_whitelist_path}")
raise HTTPException(status_code=405, detail=f"Method {request.method} not allowed") raise HTTPException(status_code=404, detail="Not Found")
# 检查权限
if not whitelist_info['allow_guest']:
if not await authenticate_request(request, whitelist_info['allow_guest']):
raise HTTPException(status_code=401, detail="Authentication required")
# 调用函数 # 检查 HTTP 方法
if request.method not in whitelist_info['methods']:
raise HTTPException(status_code=405, detail=f"Method {request.method} not allowed")
# 检查权限
if not whitelist_info['allow_guest']:
if not await authenticate_request(request, whitelist_info['allow_guest']):
raise HTTPException(status_code=401, detail="Authentication required")
# 调用函数(只有通过白名单验证的函数才能执行到这里)
request_data = await _get_request_data(request) request_data = await _get_request_data(request)
result = func(**request_data) result = func(**request_data)