fix: DTO 输入校验补全 + 编译修复 + AuthButton 类型修复

- erp-auth/config/workflow/message/plugin/health: 44 处 DTO 校验缺失修复 - erp-plugin/data_dto: utoipa derive 宏 import 修复 - erp-server/main: tracing 宏类型推断修复 - web AuthButton: AiAnalysisCard/VitalSignsTab Button 包裹在 children 内 Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 06:58:54 +08:00
parent d74c7a61de
commit f3bf8b3b1d
17 changed files with 149 additions and 66 deletions
--- a/crates/erp-workflow/src/dto.rs
+++ b/crates/erp-workflow/src/dto.rs
@@ -45,12 +45,14 @@ pub struct NodePosition {
 }

 /// ServiceTask HTTP 调用配置
-#[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
+#[derive(Debug, Clone, Serialize, Deserialize, Validate, ToSchema)]
 pub struct ServiceTaskConfig {
-    /// 请求 URL
+    /// 请求 URL（仅允许 http/https 协议，禁止内网地址）
+    #[validate(length(min = 1, max = 2048), custom(function = "validate_service_url"))]
    pub url: String,
    /// HTTP 方法（GET / POST），默认 GET
    #[serde(default = "default_method")]
+    #[validate(custom(function = "validate_http_method"))]
    pub method: String,
    /// POST body 模板（支持从流程变量替换 ${var_name}）
    #[serde(skip_serializing_if = "Option::is_none")]
@@ -61,6 +63,23 @@ fn default_method() -> String {
    "GET".to_string()
 }

+fn validate_service_url(value: &str) -> Result<(), validator::ValidationError> {
+    if !value.starts_with("https://") && !value.starts_with("http://") {
+        return Err(validator::ValidationError::new("invalid_url_scheme"));
+    }
+    if value.contains("127.0.0.1") || value.contains("localhost") || value.contains("0.0.0.0") {
+        return Err(validator::ValidationError::new("ssrf_blocked"));
+    }
+    Ok(())
+}
+
+fn validate_http_method(value: &str) -> Result<(), validator::ValidationError> {
+    match value {
+        "GET" | "POST" => Ok(()),
+        _ => Err(validator::ValidationError::new("invalid_http_method")),
+    }
+}
+
 /// 流程图连线定义
 #[derive(Debug, Clone, Serialize, Deserialize, ToSchema)]
 pub struct EdgeDef {