lolly

xfy/lolly

Author	SHA1	Message	Date
xfy	179090fa34	fix(security): 修复 2 个 CRITICAL + 6 个 HIGH 安全与代码质量问题安全修复: - ConnLimiter Acquire() TOCTOU 竞态: atomic.AddInt64 替代 loadInt64+addInt64 - Cache Purge token 时序侧信道: 改用 subtle.ConstantTimeCompare - Lua Cosocket SSRF: 新增 ip_guard 两层 IP 检查（字面量+解析后），拒绝私有/回环地址 - X-Accel-Redirect 路径遍历: urlpath.Clean + 前缀拒绝（/internal/ /admin/） - CRLF 注入: containsCRLF 校验变量展开后的 header 值，logging.Warn 可观测 - Proxy URI 注入: bytes.ContainsAny 检查 path 中的 @\r\n 危险字符代码质量: - disk_cache.go Set() 7 处静默 return 改为 logging.Error 日志记录 - config.go 从 2392 行拆分为 9 个按域文件（config/server/proxy/security/ssl/cache/performance/monitoring/variable）验证: go build + vet + golangci-lint(0 issues) + test(83.2% 无回归) + race detector 全部通过 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>	2026-04-28 10:13:47 +08:00
xfy	8ed800271d	test: 迁移基准测试循环到 Go 1.24 b.Loop() API - 所有 *_bench_test.go 文件从 for i := 0; i < b.N; i++ 改为 for b.Loop() - 部分测试文件从 for i := 0; i < N; ... 改为 for range N 或 for i := range N - 涵盖模块: cache, handler, http2, http3, loadbalance, logging, lua, middleware/accesslog, middleware/bodylimit, middleware/rewrite, middleware/security, netutil, resolver, server, ssl, stream Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-16 13:50:15 +08:00
xfy	1bf9e7ad5d	fix(test,security): 改进测试稳定性和认证安全性 - socket_test.go: 降低压力测试参数避免超时，改进连接状态等待逻辑 - auth.go: 使用 subtle.ConstantTimeCompare 替代手动循环比较 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-13 16:20:01 +08:00
xfy	8bac2fdcfa	feat(lua): 实现 Cosocket API 和响应拦截器 - ngx.req API 双层边界验证原型 - TCP Cosocket API (connect/send/receive/close) - Cosocket 状态管理器和连接池 - ResponseInterceptor 响应拦截器 - 完整单元测试覆盖 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>	2026-04-10 18:30:28 +08:00

4 Commits