xfy
179090fa34
安全修复: - ConnLimiter Acquire() TOCTOU 竞态: atomic.AddInt64 替代 loadInt64+addInt64 - Cache Purge token 时序侧信道: 改用 subtle.ConstantTimeCompare - Lua Cosocket SSRF: 新增 ip_guard 两层 IP 检查(字面量+解析后),拒绝私有/回环地址 - X-Accel-Redirect 路径遍历: urlpath.Clean + 前缀拒绝(/internal/ /admin/) - CRLF 注入: containsCRLF 校验变量展开后的 header 值,logging.Warn 可观测 - Proxy URI 注入: bytes.ContainsAny 检查 path 中的 @\r\n 危险字符 代码质量: - disk_cache.go Set() 7 处静默 return 改为 logging.Error 日志记录 - config.go 从 2392 行拆分为 9 个按域文件(config/server/proxy/security/ssl/cache/performance/monitoring/variable) 验证: go build + vet + golangci-lint(0 issues) + test(83.2% 无回归) + race detector 全部通过 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
29 lines
616 B
Go
29 lines
616 B
Go
package proxy
|
|
|
|
import "testing"
|
|
|
|
func TestContainsCRLF(t *testing.T) {
|
|
tests := []struct {
|
|
name string
|
|
input string
|
|
expected bool
|
|
}{
|
|
{"empty", "", false},
|
|
{"normal", "normal value", false},
|
|
{"CRLF", "with\r\nCRLF", true},
|
|
{"LF only", "with\nLF", true},
|
|
{"CR only", "with\rCR", true},
|
|
{"https url", "https://example.com", false},
|
|
{"tab", "with\ttab", false},
|
|
}
|
|
|
|
for _, tt := range tests {
|
|
t.Run(tt.name, func(t *testing.T) {
|
|
result := containsCRLF(tt.input)
|
|
if result != tt.expected {
|
|
t.Errorf("containsCRLF(%q) = %v, want %v", tt.input, result, tt.expected)
|
|
}
|
|
})
|
|
}
|
|
}
|